1*ebfedea0SLionel Sambuc#! /bin/sh 2*ebfedea0SLionel Sambuc# Tests ECC cipher suites using ssltest. Requires one argument which could 3*ebfedea0SLionel Sambuc# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa. 4*ebfedea0SLionel Sambuc# A second optional argument can be one of ssl2 ssl3 or tls1 5*ebfedea0SLionel Sambuc 6*ebfedea0SLionel Sambucif [ "$1" = "" ]; then 7*ebfedea0SLionel Sambuc (echo "Usage: $0 test [ protocol ]" 8*ebfedea0SLionel Sambuc echo " where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa" 9*ebfedea0SLionel Sambuc echo " and protocol (optional) is one of ssl2, ssl3, tls1" 10*ebfedea0SLionel Sambuc echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first." 11*ebfedea0SLionel Sambuc ) >&2 12*ebfedea0SLionel Sambuc exit 1 13*ebfedea0SLionel Sambucfi 14*ebfedea0SLionel Sambuc 15*ebfedea0SLionel Sambuc 16*ebfedea0SLionel SambucOPENSSL_DIR=../.. 17*ebfedea0SLionel SambucCERTS_DIR=./Certs 18*ebfedea0SLionel SambucSSLTEST=$OPENSSL_DIR/test/ssltest 19*ebfedea0SLionel Sambuc# SSL protocol version to test (one of ssl2 ssl3 or tls1)" 20*ebfedea0SLionel SambucSSLVERSION= 21*ebfedea0SLionel Sambuc 22*ebfedea0SLionel Sambuc# These don't really require any certificates 23*ebfedea0SLionel SambucAECDH_CIPHER_LIST="AECDH-AES256-SHA AECDH-AES128-SHA AECDH-DES-CBC3-SHA AECDH-RC4-SHA AECDH-NULL-SHA" 24*ebfedea0SLionel Sambuc 25*ebfedea0SLionel Sambuc# These require ECC certificates signed with ECDSA 26*ebfedea0SLionel Sambuc# The EC public key must be authorized for key agreement. 27*ebfedea0SLionel SambucECDH_ECDSA_CIPHER_LIST="ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA" 28*ebfedea0SLionel Sambuc 29*ebfedea0SLionel Sambuc# These require ECC certificates. 30*ebfedea0SLionel Sambuc# The EC public key must be authorized for digital signature. 31*ebfedea0SLionel SambucECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-NULL-SHA" 32*ebfedea0SLionel Sambuc 33*ebfedea0SLionel Sambuc# These require ECC certificates signed with RSA. 34*ebfedea0SLionel Sambuc# The EC public key must be authorized for key agreement. 35*ebfedea0SLionel SambucECDH_RSA_CIPHER_LIST="ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA" 36*ebfedea0SLionel Sambuc 37*ebfedea0SLionel Sambuc# These require RSA certificates. 38*ebfedea0SLionel Sambuc# The RSA public key must be authorized for digital signature. 39*ebfedea0SLionel SambucECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-NULL-SHA" 40*ebfedea0SLionel Sambuc 41*ebfedea0SLionel Sambuc# List of Elliptic curves over which we wish to test generation of 42*ebfedea0SLionel Sambuc# ephemeral ECDH keys when using AECDH or ECDHE ciphers 43*ebfedea0SLionel Sambuc# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1 44*ebfedea0SLionel Sambuc#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1" 45*ebfedea0SLionel SambucELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1" 46*ebfedea0SLionel Sambuc 47*ebfedea0SLionel SambucDEFAULT_CURVE="sect163r2" 48*ebfedea0SLionel Sambuc 49*ebfedea0SLionel Sambucif [ "$2" = "" ]; then 50*ebfedea0SLionel Sambuc if [ "$SSL_VERSION" = "" ]; then 51*ebfedea0SLionel Sambuc SSL_VERSION="" 52*ebfedea0SLionel Sambuc else 53*ebfedea0SLionel Sambuc SSL_VERSION="-$SSL_VERSION" 54*ebfedea0SLionel Sambuc fi 55*ebfedea0SLionel Sambucelse 56*ebfedea0SLionel Sambuc SSL_VERSION="-$2" 57*ebfedea0SLionel Sambucfi 58*ebfedea0SLionel Sambuc 59*ebfedea0SLionel Sambuc#============================================================== 60*ebfedea0SLionel Sambuc# Anonymous cipher suites do not require key or certificate files 61*ebfedea0SLionel Sambuc# but ssltest expects a cert file and complains if it can't 62*ebfedea0SLionel Sambuc# open the default one. 63*ebfedea0SLionel SambucSERVER_PEM=$OPENSSL_DIR/apps/server.pem 64*ebfedea0SLionel Sambuc 65*ebfedea0SLionel Sambucif [ "$1" = "aecdh" ]; then 66*ebfedea0SLionel Sambucfor cipher in $AECDH_CIPHER_LIST 67*ebfedea0SLionel Sambucdo 68*ebfedea0SLionel Sambuc echo "Testing $cipher" 69*ebfedea0SLionel Sambuc $SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher 70*ebfedea0SLionel Sambucdone 71*ebfedea0SLionel Sambuc#-------------------------------------------------------------- 72*ebfedea0SLionel Sambucfor curve in $ELLIPTIC_CURVE_LIST 73*ebfedea0SLionel Sambucdo 74*ebfedea0SLionel Sambuc echo "Testing AECDH-NULL-SHA (with $curve)" 75*ebfedea0SLionel Sambuc $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ 76*ebfedea0SLionel Sambuc -named_curve $curve -cipher AECDH-NULL-SHA 77*ebfedea0SLionel Sambucdone 78*ebfedea0SLionel Sambuc 79*ebfedea0SLionel Sambucfor curve in $ELLIPTIC_CURVE_LIST 80*ebfedea0SLionel Sambucdo 81*ebfedea0SLionel Sambuc echo "Testing AECDH-RC4-SHA (with $curve)" 82*ebfedea0SLionel Sambuc $SSLTEST $SSL_VERSION -cert $SERVER_PEM \ 83*ebfedea0SLionel Sambuc -named_curve $curve -cipher AECDH-RC4-SHA 84*ebfedea0SLionel Sambucdone 85*ebfedea0SLionel Sambucfi 86*ebfedea0SLionel Sambuc 87*ebfedea0SLionel Sambuc#============================================================== 88*ebfedea0SLionel Sambuc# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require 89*ebfedea0SLionel Sambuc# the server to have an ECC certificate signed with ECDSA. 90*ebfedea0SLionel SambucCA_PEM=$CERTS_DIR/secp160r1TestCA.pem 91*ebfedea0SLionel SambucSERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem 92*ebfedea0SLionel SambucCLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem 93*ebfedea0SLionel Sambuc 94*ebfedea0SLionel Sambucif [ "$1" = "ecdh-ecdsa" ]; then 95*ebfedea0SLionel Sambucfor cipher in $ECDH_ECDSA_CIPHER_LIST 96*ebfedea0SLionel Sambucdo 97*ebfedea0SLionel Sambuc echo "Testing $cipher (with server authentication)" 98*ebfedea0SLionel Sambuc $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 99*ebfedea0SLionel Sambuc -cert $SERVER_PEM -server_auth \ 100*ebfedea0SLionel Sambuc -cipher $cipher 101*ebfedea0SLionel Sambuc 102*ebfedea0SLionel Sambuc echo "Testing $cipher (with server and client authentication)" 103*ebfedea0SLionel Sambuc $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 104*ebfedea0SLionel Sambuc -cert $SERVER_PEM -server_auth \ 105*ebfedea0SLionel Sambuc -c_cert $CLIENT_PEM -client_auth \ 106*ebfedea0SLionel Sambuc -cipher $cipher 107*ebfedea0SLionel Sambucdone 108*ebfedea0SLionel Sambucfi 109*ebfedea0SLionel Sambuc 110*ebfedea0SLionel Sambuc#============================================================== 111*ebfedea0SLionel Sambucif [ "$1" = "ecdhe-ecdsa" ]; then 112*ebfedea0SLionel Sambucfor cipher in $ECDHE_ECDSA_CIPHER_LIST 113*ebfedea0SLionel Sambucdo 114*ebfedea0SLionel Sambuc echo "Testing $cipher (with server authentication)" 115*ebfedea0SLionel Sambuc $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 116*ebfedea0SLionel Sambuc -cert $SERVER_PEM -server_auth \ 117*ebfedea0SLionel Sambuc -cipher $cipher -named_curve $DEFAULT_CURVE 118*ebfedea0SLionel Sambuc 119*ebfedea0SLionel Sambuc echo "Testing $cipher (with server and client authentication)" 120*ebfedea0SLionel Sambuc $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 121*ebfedea0SLionel Sambuc -cert $SERVER_PEM -server_auth \ 122*ebfedea0SLionel Sambuc -c_cert $CLIENT_PEM -client_auth \ 123*ebfedea0SLionel Sambuc -cipher $cipher -named_curve $DEFAULT_CURVE 124*ebfedea0SLionel Sambucdone 125*ebfedea0SLionel Sambuc 126*ebfedea0SLionel Sambuc#-------------------------------------------------------------- 127*ebfedea0SLionel Sambucfor curve in $ELLIPTIC_CURVE_LIST 128*ebfedea0SLionel Sambucdo 129*ebfedea0SLionel Sambuc echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)" 130*ebfedea0SLionel Sambuc $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 131*ebfedea0SLionel Sambuc -cert $SERVER_PEM -server_auth \ 132*ebfedea0SLionel Sambuc -c_cert $CLIENT_PEM -client_auth \ 133*ebfedea0SLionel Sambuc -cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve 134*ebfedea0SLionel Sambucdone 135*ebfedea0SLionel Sambucfi 136*ebfedea0SLionel Sambuc 137*ebfedea0SLionel Sambuc#============================================================== 138*ebfedea0SLionel Sambuc# ECDH-RSA cipher suites require the server to have an ECC 139*ebfedea0SLionel Sambuc# certificate signed with RSA. 140*ebfedea0SLionel SambucCA_PEM=$CERTS_DIR/rsa1024TestCA.pem 141*ebfedea0SLionel SambucSERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem 142*ebfedea0SLionel SambucCLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem 143*ebfedea0SLionel Sambuc 144*ebfedea0SLionel Sambucif [ "$1" = "ecdh-rsa" ]; then 145*ebfedea0SLionel Sambucfor cipher in $ECDH_RSA_CIPHER_LIST 146*ebfedea0SLionel Sambucdo 147*ebfedea0SLionel Sambuc echo "Testing $cipher (with server authentication)" 148*ebfedea0SLionel Sambuc $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 149*ebfedea0SLionel Sambuc -cert $SERVER_PEM -server_auth \ 150*ebfedea0SLionel Sambuc -cipher $cipher 151*ebfedea0SLionel Sambuc 152*ebfedea0SLionel Sambuc echo "Testing $cipher (with server and client authentication)" 153*ebfedea0SLionel Sambuc $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 154*ebfedea0SLionel Sambuc -cert $SERVER_PEM -server_auth \ 155*ebfedea0SLionel Sambuc -c_cert $CLIENT_PEM -client_auth \ 156*ebfedea0SLionel Sambuc -cipher $cipher 157*ebfedea0SLionel Sambucdone 158*ebfedea0SLionel Sambucfi 159*ebfedea0SLionel Sambuc 160*ebfedea0SLionel Sambuc#============================================================== 161*ebfedea0SLionel Sambuc# ECDHE-RSA cipher suites require the server to have an RSA cert. 162*ebfedea0SLionel SambucCA_PEM=$CERTS_DIR/rsa1024TestCA.pem 163*ebfedea0SLionel SambucSERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem 164*ebfedea0SLionel SambucCLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem 165*ebfedea0SLionel Sambuc 166*ebfedea0SLionel Sambucif [ "$1" = "ecdhe-rsa" ]; then 167*ebfedea0SLionel Sambucfor cipher in $ECDHE_RSA_CIPHER_LIST 168*ebfedea0SLionel Sambucdo 169*ebfedea0SLionel Sambuc echo "Testing $cipher (with server authentication)" 170*ebfedea0SLionel Sambuc echo $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 171*ebfedea0SLionel Sambuc -cert $SERVER_PEM -server_auth \ 172*ebfedea0SLionel Sambuc -cipher $cipher -named_curve $DEFAULT_CURVE 173*ebfedea0SLionel Sambuc $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 174*ebfedea0SLionel Sambuc -cert $SERVER_PEM -server_auth \ 175*ebfedea0SLionel Sambuc -cipher $cipher -named_curve $DEFAULT_CURVE 176*ebfedea0SLionel Sambuc 177*ebfedea0SLionel Sambuc echo "Testing $cipher (with server and client authentication)" 178*ebfedea0SLionel Sambuc $SSLTEST $SSL_VERSION -CAfile $CA_PEM \ 179*ebfedea0SLionel Sambuc -cert $SERVER_PEM -server_auth \ 180*ebfedea0SLionel Sambuc -c_cert $CLIENT_PEM -client_auth \ 181*ebfedea0SLionel Sambuc -cipher $cipher -named_curve $DEFAULT_CURVE 182*ebfedea0SLionel Sambucdone 183*ebfedea0SLionel Sambucfi 184*ebfedea0SLionel Sambuc#============================================================== 185*ebfedea0SLionel Sambuc 186*ebfedea0SLionel Sambuc 187*ebfedea0SLionel Sambuc 188*ebfedea0SLionel Sambuc 189