1160814Ssimon#! /bin/sh
2160814Ssimon# Tests ECC cipher suites using ssltest. Requires one argument which could
3160814Ssimon# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa.
4160814Ssimon# A second optional argument can be one of ssl2 ssl3 or tls1
5160814Ssimon
6160814Ssimonif [ "$1" = "" ]; then
7160814Ssimon  (echo "Usage: $0 test [ protocol ]"
8160814Ssimon   echo "   where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa"
9160814Ssimon   echo "   and protocol (optional) is one of ssl2, ssl3, tls1"
10160814Ssimon   echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first."
11160814Ssimon  ) >&2
12160814Ssimon  exit 1
13160814Ssimonfi
14160814Ssimon
15160814Ssimon
16160814SsimonOPENSSL_DIR=../..
17160814SsimonCERTS_DIR=./Certs
18160814SsimonSSLTEST=$OPENSSL_DIR/test/ssltest
19160814Ssimon# SSL protocol version to test (one of ssl2 ssl3 or tls1)"
20160814SsimonSSLVERSION=
21160814Ssimon
22160814Ssimon# These don't really require any certificates
23160814SsimonAECDH_CIPHER_LIST="AECDH-AES256-SHA AECDH-AES128-SHA AECDH-DES-CBC3-SHA AECDH-RC4-SHA AECDH-NULL-SHA"
24160814Ssimon
25160814Ssimon# These require ECC certificates signed with ECDSA
26160814Ssimon# The EC public key must be authorized for key agreement.
27160814SsimonECDH_ECDSA_CIPHER_LIST="ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA"
28160814Ssimon
29160814Ssimon# These require ECC certificates.
30160814Ssimon# The EC public key must be authorized for digital signature.
31160814SsimonECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-NULL-SHA"
32160814Ssimon
33160814Ssimon# These require ECC certificates signed with RSA.
34160814Ssimon# The EC public key must be authorized for key agreement.
35160814SsimonECDH_RSA_CIPHER_LIST="ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA"
36160814Ssimon
37160814Ssimon# These require RSA certificates.
38160814Ssimon# The RSA public key must be authorized for digital signature.
39160814SsimonECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-NULL-SHA"
40160814Ssimon
41160814Ssimon# List of Elliptic curves over which we wish to test generation of
42160814Ssimon# ephemeral ECDH keys when using AECDH or ECDHE ciphers
43160814Ssimon# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1
44160814Ssimon#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1"
45160814SsimonELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1"
46160814Ssimon
47160814SsimonDEFAULT_CURVE="sect163r2"
48160814Ssimon
49160814Ssimonif [ "$2" = "" ]; then
50160814Ssimon    if [ "$SSL_VERSION" = "" ]; then
51160814Ssimon	SSL_VERSION=""
52160814Ssimon    else
53160814Ssimon	SSL_VERSION="-$SSL_VERSION"
54160814Ssimon    fi
55160814Ssimonelse
56160814Ssimon    SSL_VERSION="-$2"
57160814Ssimonfi
58160814Ssimon
59160814Ssimon#==============================================================
60160814Ssimon# Anonymous cipher suites do not require key or certificate files
61160814Ssimon# but ssltest expects a cert file and complains if it can't
62160814Ssimon# open the default one.
63160814SsimonSERVER_PEM=$OPENSSL_DIR/apps/server.pem
64160814Ssimon
65160814Ssimonif [ "$1" = "aecdh" ]; then
66160814Ssimonfor cipher in $AECDH_CIPHER_LIST
67160814Ssimondo
68160814Ssimon    echo "Testing $cipher"
69160814Ssimon    $SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher 
70160814Ssimondone
71160814Ssimon#--------------------------------------------------------------
72160814Ssimonfor curve in $ELLIPTIC_CURVE_LIST
73160814Ssimondo
74160814Ssimon    echo "Testing AECDH-NULL-SHA (with $curve)"
75160814Ssimon    $SSLTEST $SSL_VERSION -cert $SERVER_PEM \
76160814Ssimon	-named_curve $curve -cipher AECDH-NULL-SHA
77160814Ssimondone
78160814Ssimon
79160814Ssimonfor curve in $ELLIPTIC_CURVE_LIST
80160814Ssimondo
81160814Ssimon    echo "Testing AECDH-RC4-SHA (with $curve)"
82160814Ssimon    $SSLTEST $SSL_VERSION -cert $SERVER_PEM \
83160814Ssimon	-named_curve $curve -cipher AECDH-RC4-SHA
84160814Ssimondone
85160814Ssimonfi
86160814Ssimon
87160814Ssimon#==============================================================
88160814Ssimon# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require 
89160814Ssimon# the server to have an ECC certificate signed with ECDSA.
90160814SsimonCA_PEM=$CERTS_DIR/secp160r1TestCA.pem
91160814SsimonSERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem
92160814SsimonCLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem
93160814Ssimon
94160814Ssimonif [ "$1" = "ecdh-ecdsa" ]; then
95160814Ssimonfor cipher in $ECDH_ECDSA_CIPHER_LIST
96160814Ssimondo
97160814Ssimon    echo "Testing $cipher (with server authentication)"
98160814Ssimon    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
99160814Ssimon	-cert $SERVER_PEM -server_auth \
100160814Ssimon	-cipher $cipher
101160814Ssimon
102160814Ssimon    echo "Testing $cipher (with server and client authentication)"
103160814Ssimon    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
104160814Ssimon	-cert $SERVER_PEM -server_auth \
105160814Ssimon	-c_cert $CLIENT_PEM -client_auth \
106160814Ssimon	-cipher $cipher
107160814Ssimondone
108160814Ssimonfi
109160814Ssimon
110160814Ssimon#==============================================================
111160814Ssimonif [ "$1" = "ecdhe-ecdsa" ]; then
112160814Ssimonfor cipher in $ECDHE_ECDSA_CIPHER_LIST
113160814Ssimondo
114160814Ssimon    echo "Testing $cipher (with server authentication)"
115160814Ssimon    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
116160814Ssimon	-cert $SERVER_PEM -server_auth \
117160814Ssimon	-cipher $cipher -named_curve $DEFAULT_CURVE
118160814Ssimon
119160814Ssimon    echo "Testing $cipher (with server and client authentication)"
120160814Ssimon    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
121160814Ssimon	-cert $SERVER_PEM -server_auth \
122160814Ssimon	-c_cert $CLIENT_PEM -client_auth \
123160814Ssimon	-cipher $cipher -named_curve $DEFAULT_CURVE
124160814Ssimondone
125160814Ssimon
126160814Ssimon#--------------------------------------------------------------
127160814Ssimonfor curve in $ELLIPTIC_CURVE_LIST
128160814Ssimondo
129160814Ssimon    echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)"
130160814Ssimon    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
131160814Ssimon	-cert $SERVER_PEM -server_auth \
132160814Ssimon	-c_cert $CLIENT_PEM -client_auth \
133160814Ssimon	-cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve 
134160814Ssimondone
135160814Ssimonfi
136160814Ssimon
137160814Ssimon#==============================================================
138160814Ssimon# ECDH-RSA cipher suites require the server to have an ECC
139160814Ssimon# certificate signed with RSA.
140160814SsimonCA_PEM=$CERTS_DIR/rsa1024TestCA.pem
141160814SsimonSERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem
142160814SsimonCLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem
143160814Ssimon
144160814Ssimonif [ "$1" = "ecdh-rsa" ]; then
145160814Ssimonfor cipher in $ECDH_RSA_CIPHER_LIST
146160814Ssimondo
147160814Ssimon    echo "Testing $cipher (with server authentication)"
148160814Ssimon    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
149160814Ssimon	-cert $SERVER_PEM -server_auth \
150160814Ssimon	-cipher $cipher
151160814Ssimon
152160814Ssimon    echo "Testing $cipher (with server and client authentication)"
153160814Ssimon    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
154160814Ssimon	-cert $SERVER_PEM -server_auth \
155160814Ssimon	-c_cert $CLIENT_PEM -client_auth \
156160814Ssimon	-cipher $cipher
157160814Ssimondone
158160814Ssimonfi
159160814Ssimon
160160814Ssimon#==============================================================
161160814Ssimon# ECDHE-RSA cipher suites require the server to have an RSA cert.
162160814SsimonCA_PEM=$CERTS_DIR/rsa1024TestCA.pem
163160814SsimonSERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem
164160814SsimonCLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem
165160814Ssimon
166160814Ssimonif [ "$1" = "ecdhe-rsa" ]; then
167160814Ssimonfor cipher in $ECDHE_RSA_CIPHER_LIST
168160814Ssimondo
169160814Ssimon    echo "Testing $cipher (with server authentication)"
170160814Ssimon    echo $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
171160814Ssimon	-cert $SERVER_PEM -server_auth \
172160814Ssimon	-cipher $cipher -named_curve $DEFAULT_CURVE
173160814Ssimon    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
174160814Ssimon	-cert $SERVER_PEM -server_auth \
175160814Ssimon	-cipher $cipher -named_curve $DEFAULT_CURVE
176160814Ssimon
177160814Ssimon    echo "Testing $cipher (with server and client authentication)"
178160814Ssimon    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
179160814Ssimon	-cert $SERVER_PEM -server_auth \
180160814Ssimon	-c_cert $CLIENT_PEM -client_auth \
181160814Ssimon	-cipher $cipher -named_curve $DEFAULT_CURVE
182160814Ssimondone
183160814Ssimonfi
184160814Ssimon#==============================================================
185160814Ssimon
186160814Ssimon
187160814Ssimon
188160814Ssimon
189