ssltest.sh revision 160814 
1139747Simp#! /bin/sh
2131952Smarcel# Tests ECC cipher suites using ssltest. Requires one argument which could
3131952Smarcel# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa.
4131952Smarcel# A second optional argument can be one of ssl2 ssl3 or tls1
5131952Smarcel
6131952Smarcelif [ "$1" = "" ]; then
7131952Smarcel  (echo "Usage: $0 test [ protocol ]"
8131952Smarcel   echo "   where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa"
9131952Smarcel   echo "   and protocol (optional) is one of ssl2, ssl3, tls1"
10131952Smarcel   echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first."
11131952Smarcel  ) >&2
12131952Smarcel  exit 1
13131952Smarcelfi
14131952Smarcel
15131952Smarcel
16131952SmarcelOPENSSL_DIR=../..
17131952SmarcelCERTS_DIR=./Certs
18131952SmarcelSSLTEST=$OPENSSL_DIR/test/ssltest
19131952Smarcel# SSL protocol version to test (one of ssl2 ssl3 or tls1)"
20131952SmarcelSSLVERSION=
21131952Smarcel
22131952Smarcel# These don't really require any certificates
23131952SmarcelAECDH_CIPHER_LIST="AECDH-AES256-SHA AECDH-AES128-SHA AECDH-DES-CBC3-SHA AECDH-RC4-SHA AECDH-NULL-SHA"
24131952Smarcel
25131952Smarcel# These require ECC certificates signed with ECDSA
26131952Smarcel# The EC public key must be authorized for key agreement.
27131952SmarcelECDH_ECDSA_CIPHER_LIST="ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA"
28131952Smarcel
29131952Smarcel# These require ECC certificates.
30131952Smarcel# The EC public key must be authorized for digital signature.
31131952SmarcelECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-NULL-SHA"
32131952Smarcel
33131952Smarcel# These require ECC certificates signed with RSA.
34131952Smarcel# The EC public key must be authorized for key agreement.
35131952SmarcelECDH_RSA_CIPHER_LIST="ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA"
36131952Smarcel
37131952Smarcel# These require RSA certificates.
38131952Smarcel# The RSA public key must be authorized for digital signature.
39174910SrwatsonECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-NULL-SHA"
40131952Smarcel
41131952Smarcel# List of Elliptic curves over which we wish to test generation of
42131952Smarcel# ephemeral ECDH keys when using AECDH or ECDHE ciphers
43131952Smarcel# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1
44131952Smarcel#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1"
45131952SmarcelELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1"
46131952Smarcel
47131952SmarcelDEFAULT_CURVE="sect163r2"
48131952Smarcel
49174910Srwatsonif [ "$2" = "" ]; then
50174910Srwatson    if [ "$SSL_VERSION" = "" ]; then
51131952Smarcel	SSL_VERSION=""
52131952Smarcel    else
53164029Skib	SSL_VERSION="-$SSL_VERSION"
54131952Smarcel    fi
55164029Skibelse
56131952Smarcel    SSL_VERSION="-$2"
57131952Smarcelfi
58131952Smarcel
59131952Smarcel#==============================================================
60131952Smarcel# Anonymous cipher suites do not require key or certificate files
61131952Smarcel# but ssltest expects a cert file and complains if it can't
62131952Smarcel# open the default one.
63131952SmarcelSERVER_PEM=$OPENSSL_DIR/apps/server.pem
64131952Smarcel
65131952Smarcelif [ "$1" = "aecdh" ]; then
66131952Smarcelfor cipher in $AECDH_CIPHER_LIST
67131952Smarceldo
68131952Smarcel    echo "Testing $cipher"
69131952Smarcel    $SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher 
70131952Smarceldone
71131952Smarcel#--------------------------------------------------------------
72131952Smarcelfor curve in $ELLIPTIC_CURVE_LIST
73131952Smarceldo
74131952Smarcel    echo "Testing AECDH-NULL-SHA (with $curve)"
75131952Smarcel    $SSLTEST $SSL_VERSION -cert $SERVER_PEM \
76131952Smarcel	-named_curve $curve -cipher AECDH-NULL-SHA
77131952Smarceldone
78131952Smarcel
79131952Smarcelfor curve in $ELLIPTIC_CURVE_LIST
80131952Smarceldo
81131952Smarcel    echo "Testing AECDH-RC4-SHA (with $curve)"
82131952Smarcel    $SSLTEST $SSL_VERSION -cert $SERVER_PEM \
83131952Smarcel	-named_curve $curve -cipher AECDH-RC4-SHA
84131952Smarceldone
85131952Smarcelfi
86131952Smarcel
87131952Smarcel#==============================================================
88131952Smarcel# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require 
89131952Smarcel# the server to have an ECC certificate signed with ECDSA.
90131952SmarcelCA_PEM=$CERTS_DIR/secp160r1TestCA.pem
91131952SmarcelSERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem
92131952SmarcelCLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem
93131952Smarcel
94131952Smarcelif [ "$1" = "ecdh-ecdsa" ]; then
95131952Smarcelfor cipher in $ECDH_ECDSA_CIPHER_LIST
96131952Smarceldo
97131952Smarcel    echo "Testing $cipher (with server authentication)"
98131952Smarcel    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
99131952Smarcel	-cert $SERVER_PEM -server_auth \
100131952Smarcel	-cipher $cipher
101131952Smarcel
102131952Smarcel    echo "Testing $cipher (with server and client authentication)"
103131952Smarcel    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
104131952Smarcel	-cert $SERVER_PEM -server_auth \
105131952Smarcel	-c_cert $CLIENT_PEM -client_auth \
106131952Smarcel	-cipher $cipher
107131952Smarceldone
108131952Smarcelfi
109131952Smarcel
110131952Smarcel#==============================================================
111131952Smarcelif [ "$1" = "ecdhe-ecdsa" ]; then
112131952Smarcelfor cipher in $ECDHE_ECDSA_CIPHER_LIST
113131952Smarceldo
114131952Smarcel    echo "Testing $cipher (with server authentication)"
115131952Smarcel    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
116131952Smarcel	-cert $SERVER_PEM -server_auth \
117131952Smarcel	-cipher $cipher -named_curve $DEFAULT_CURVE
118131952Smarcel
119131952Smarcel    echo "Testing $cipher (with server and client authentication)"
120131952Smarcel    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
121131952Smarcel	-cert $SERVER_PEM -server_auth \
122131952Smarcel	-c_cert $CLIENT_PEM -client_auth \
123131952Smarcel	-cipher $cipher -named_curve $DEFAULT_CURVE
124131952Smarceldone
125131952Smarcel
126131952Smarcel#--------------------------------------------------------------
127131952Smarcelfor curve in $ELLIPTIC_CURVE_LIST
128131952Smarceldo
129131952Smarcel    echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)"
130131952Smarcel    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
131131952Smarcel	-cert $SERVER_PEM -server_auth \
132131952Smarcel	-c_cert $CLIENT_PEM -client_auth \
133131952Smarcel	-cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve 
134131952Smarceldone
135131952Smarcelfi
136131952Smarcel
137131952Smarcel#==============================================================
138131952Smarcel# ECDH-RSA cipher suites require the server to have an ECC
139131952Smarcel# certificate signed with RSA.
140131952SmarcelCA_PEM=$CERTS_DIR/rsa1024TestCA.pem
141131952SmarcelSERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem
142131952SmarcelCLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem
143131952Smarcel
144131952Smarcelif [ "$1" = "ecdh-rsa" ]; then
145131952Smarcelfor cipher in $ECDH_RSA_CIPHER_LIST
146131952Smarceldo
147131952Smarcel    echo "Testing $cipher (with server authentication)"
148131952Smarcel    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
149131952Smarcel	-cert $SERVER_PEM -server_auth \
150131952Smarcel	-cipher $cipher
151131952Smarcel
152131952Smarcel    echo "Testing $cipher (with server and client authentication)"
153131952Smarcel    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
154131952Smarcel	-cert $SERVER_PEM -server_auth \
155131952Smarcel	-c_cert $CLIENT_PEM -client_auth \
156131952Smarcel	-cipher $cipher
157131952Smarceldone
158131952Smarcelfi
159131952Smarcel
160131952Smarcel#==============================================================
161131952Smarcel# ECDHE-RSA cipher suites require the server to have an RSA cert.
162131952SmarcelCA_PEM=$CERTS_DIR/rsa1024TestCA.pem
163131952SmarcelSERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem
164131952SmarcelCLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem
165131952Smarcel
166131952Smarcelif [ "$1" = "ecdhe-rsa" ]; then
167131952Smarcelfor cipher in $ECDHE_RSA_CIPHER_LIST
168131952Smarceldo
169131952Smarcel    echo "Testing $cipher (with server authentication)"
170131952Smarcel    echo $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
171131952Smarcel	-cert $SERVER_PEM -server_auth \
172131952Smarcel	-cipher $cipher -named_curve $DEFAULT_CURVE
173131952Smarcel    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
174131952Smarcel	-cert $SERVER_PEM -server_auth \
175131952Smarcel	-cipher $cipher -named_curve $DEFAULT_CURVE
176131952Smarcel
177132771Skan    echo "Testing $cipher (with server and client authentication)"
178132791Skan    $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
179131952Smarcel	-cert $SERVER_PEM -server_auth \
180132771Skan	-c_cert $CLIENT_PEM -client_auth \
181132791Skan	-cipher $cipher -named_curve $DEFAULT_CURVE
182131952Smarceldone
183131952Smarcelfi
184131952Smarcel#==============================================================
185131952Smarcel
186131952Smarcel
187131952Smarcel
188131952Smarcel
189131952Smarcel