1160814Ssimon#! /bin/sh 2160814Ssimon# Tests ECC cipher suites using ssltest. Requires one argument which could 3160814Ssimon# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa. 4160814Ssimon# A second optional argument can be one of ssl2 ssl3 or tls1 5160814Ssimon 6160814Ssimonif [ "$1" = "" ]; then 7160814Ssimon (echo "Usage: $0 test [ protocol ]" 8160814Ssimon echo " where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa" 9160814Ssimon echo " and protocol (optional) is one of ssl2, ssl3, tls1" 10160814Ssimon echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first." 11160814Ssimon ) >&2 12160814Ssimon exit 1 13160814Ssimonfi 14160814Ssimon 15160814Ssimon 16160814SsimonOPENSSL_DIR=../.. 17160814SsimonCERTS_DIR=./Certs 18160814SsimonSSLTEST=$OPENSSL_DIR/test/ssltest 19160814Ssimon# SSL protocol version to test (one of ssl2 ssl3 or tls1)" 20160814SsimonSSLVERSION= 21160814Ssimon 22160814Ssimon# These don't really require any certificates 23160814SsimonAECDH_CIPHER_LIST="AECDH-AES256-SHA AECDH-AES128-SHA AECDH-DES-CBC3-SHA AECDH-RC4-SHA AECDH-NULL-SHA" 24160814Ssimon 25160814Ssimon# These require ECC certificates signed with ECDSA 26160814Ssimon# The EC public key must be authorized for key agreement. 27160814SsimonECDH_ECDSA_CIPHER_LIST="ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA" 28160814Ssimon 29160814Ssimon# These require ECC certificates. 30160814Ssimon# The EC public key must be authorized for digital signature. 31160814SsimonECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-NULL-SHA" 32160814Ssimon 33160814Ssimon# These require ECC certificates signed with RSA. 34160814Ssimon# The EC public key must be authorized for key agreement. 35160814SsimonECDH_RSA_CIPHER_LIST="ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA" 36160814Ssimon 37160814Ssimon# These require RSA certificates. 38160814Ssimon# The RSA public key must be authorized for digital signature. 39160814SsimonECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-NULL-SHA" 40160814Ssimon 41160814Ssimon# List of Elliptic curves over which we wish to test generation of 42160814Ssimon# ephemeral ECDH keys when using AECDH or ECDHE ciphers 43160814Ssimon# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1 44160814Ssimon#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1" 45160814SsimonELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1" 46160814Ssimon 47160814SsimonDEFAULT_CURVE="sect163r2" 48160814Ssimon 49160814Ssimonif [ "$2" = "" ]; then 50160814Ssimon if [ "$SSL_VERSION" = "" ]; then 51160814Ssimon SSL_VERSION="" 52160814Ssimon else 53160814Ssimon SSL_VERSION="-$SSL_VERSION" 54160814Ssimon fi 55160814Ssimonelse 56160814Ssimon SSL_VERSION="-$2" 57160814Ssimonfi 58160814Ssimon 59160814Ssimon#============================================================== 60160814Ssimon# Anonymous cipher suites do not require key or certificate files 61160814Ssimon# but ssltest expects a cert file and complains if it can't 62160814Ssimon# open the default one. 63160814SsimonSERVER_PEM=$OPENSSL_DIR/apps/server.pem 64160814Ssimon 65160814Ssimonif [ "$1" = "aecdh" ]; then 66160814Ssimonfor cipher in $AECDH_CIPHER_LIST 67160814Ssimondo 68160814Ssimon echo "Testing $cipher" 69160814Ssimon $SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher 70160814Ssimondone 71160814Ssimon#-------------------------------------------------------------- 72160814Ssimonfor curve in $ELLIPTIC_CURVE_LIST 73160814Ssimondo 74160814Ssimon echo "Testing AECDH-NULL-SHA (with $curve)" 75160814Ssimon $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ 76160814Ssimon -named_curve $curve -cipher AECDH-NULL-SHA 77160814Ssimondone 78160814Ssimon 79160814Ssimonfor curve in $ELLIPTIC_CURVE_LIST 80160814Ssimondo 81160814Ssimon echo "Testing AECDH-RC4-SHA (with $curve)" 82160814Ssimon $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ 83160814Ssimon -named_curve $curve -cipher AECDH-RC4-SHA 84160814Ssimondone 85160814Ssimonfi 86160814Ssimon 87160814Ssimon#============================================================== 88160814Ssimon# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require 89160814Ssimon# the server to have an ECC certificate signed with ECDSA. 90160814SsimonCA_PEM=$CERTS_DIR/secp160r1TestCA.pem 91160814SsimonSERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem 92160814SsimonCLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem 93160814Ssimon 94160814Ssimonif [ "$1" = "ecdh-ecdsa" ]; then 95160814Ssimonfor cipher in $ECDH_ECDSA_CIPHER_LIST 96160814Ssimondo 97160814Ssimon echo "Testing $cipher (with server authentication)" 98160814Ssimon $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 99160814Ssimon -cert $SERVER_PEM -server_auth \ 100160814Ssimon -cipher $cipher 101160814Ssimon 102160814Ssimon echo "Testing $cipher (with server and client authentication)" 103160814Ssimon $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 104160814Ssimon -cert $SERVER_PEM -server_auth \ 105160814Ssimon -c_cert $CLIENT_PEM -client_auth \ 106160814Ssimon -cipher $cipher 107160814Ssimondone 108160814Ssimonfi 109160814Ssimon 110160814Ssimon#============================================================== 111160814Ssimonif [ "$1" = "ecdhe-ecdsa" ]; then 112160814Ssimonfor cipher in $ECDHE_ECDSA_CIPHER_LIST 113160814Ssimondo 114160814Ssimon echo "Testing $cipher (with server authentication)" 115160814Ssimon $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 116160814Ssimon -cert $SERVER_PEM -server_auth \ 117160814Ssimon -cipher $cipher -named_curve $DEFAULT_CURVE 118160814Ssimon 119160814Ssimon echo "Testing $cipher (with server and client authentication)" 120160814Ssimon $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 121160814Ssimon -cert $SERVER_PEM -server_auth \ 122160814Ssimon -c_cert $CLIENT_PEM -client_auth \ 123160814Ssimon -cipher $cipher -named_curve $DEFAULT_CURVE 124160814Ssimondone 125160814Ssimon 126160814Ssimon#-------------------------------------------------------------- 127160814Ssimonfor curve in $ELLIPTIC_CURVE_LIST 128160814Ssimondo 129160814Ssimon echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)" 130160814Ssimon $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 131160814Ssimon -cert $SERVER_PEM -server_auth \ 132160814Ssimon -c_cert $CLIENT_PEM -client_auth \ 133160814Ssimon -cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve 134160814Ssimondone 135160814Ssimonfi 136160814Ssimon 137160814Ssimon#============================================================== 138160814Ssimon# ECDH-RSA cipher suites require the server to have an ECC 139160814Ssimon# certificate signed with RSA. 140160814SsimonCA_PEM=$CERTS_DIR/rsa1024TestCA.pem 141160814SsimonSERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem 142160814SsimonCLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem 143160814Ssimon 144160814Ssimonif [ "$1" = "ecdh-rsa" ]; then 145160814Ssimonfor cipher in $ECDH_RSA_CIPHER_LIST 146160814Ssimondo 147160814Ssimon echo "Testing $cipher (with server authentication)" 148160814Ssimon $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 149160814Ssimon -cert $SERVER_PEM -server_auth \ 150160814Ssimon -cipher $cipher 151160814Ssimon 152160814Ssimon echo "Testing $cipher (with server and client authentication)" 153160814Ssimon $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 154160814Ssimon -cert $SERVER_PEM -server_auth \ 155160814Ssimon -c_cert $CLIENT_PEM -client_auth \ 156160814Ssimon -cipher $cipher 157160814Ssimondone 158160814Ssimonfi 159160814Ssimon 160160814Ssimon#============================================================== 161160814Ssimon# ECDHE-RSA cipher suites require the server to have an RSA cert. 162160814SsimonCA_PEM=$CERTS_DIR/rsa1024TestCA.pem 163160814SsimonSERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem 164160814SsimonCLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem 165160814Ssimon 166160814Ssimonif [ "$1" = "ecdhe-rsa" ]; then 167160814Ssimonfor cipher in $ECDHE_RSA_CIPHER_LIST 168160814Ssimondo 169160814Ssimon echo "Testing $cipher (with server authentication)" 170160814Ssimon echo $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 171160814Ssimon -cert $SERVER_PEM -server_auth \ 172160814Ssimon -cipher $cipher -named_curve $DEFAULT_CURVE 173160814Ssimon $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 174160814Ssimon -cert $SERVER_PEM -server_auth \ 175160814Ssimon -cipher $cipher -named_curve $DEFAULT_CURVE 176160814Ssimon 177160814Ssimon echo "Testing $cipher (with server and client authentication)" 178160814Ssimon $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 179160814Ssimon -cert $SERVER_PEM -server_auth \ 180160814Ssimon -c_cert $CLIENT_PEM -client_auth \ 181160814Ssimon -cipher $cipher -named_curve $DEFAULT_CURVE 182160814Ssimondone 183160814Ssimonfi 184160814Ssimon#============================================================== 185160814Ssimon 186160814Ssimon 187160814Ssimon 188160814Ssimon 189