1#! /bin/sh
2#
3# t_lpback.sh - script to test OpenVPN's crypto loopback
4# Copyright (C) 2005  Matthias Andree
5# Copyright (C) 2014  Steffan Karger
6#
7# This program is free software; you can redistribute it and/or
8# modify it under the terms of the GNU General Public License
9# as published by the Free Software Foundation; either version 2
10# of the License, or (at your option) any later version.
11#
12# This program is distributed in the hope that it will be useful,
13# but WITHOUT ANY WARRANTY; without even the implied warranty of
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15# GNU General Public License for more details.
16#
17# You should have received a copy of the GNU General Public License
18# along with this program; if not, write to the Free Software
19# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
20# 02110-1301, USA.
21
22set -eu
23top_builddir="${top_builddir:-..}"
24trap "rm -f key.$$ tc-server-key.$$ tc-client-key.$$ log.$$ ; trap 0 ; exit 77" 1 2 15
25trap "rm -f key.$$ tc-server-key.$$ tc-client-key.$$ log.$$ ; exit 1" 0 3
26
27# Get list of supported ciphers from openvpn --show-ciphers output
28CIPHERS=$(${top_builddir}/src/openvpn/openvpn --show-ciphers | \
29            sed -e '/The following/,/^$/d' -e s'/ .*//' -e '/^[[:space:]]*$/d')
30
31# SK, 2014-06-04: currently the DES-EDE3-CFB1 implementation of OpenSSL is
32# broken (see http://rt.openssl.org/Ticket/Display.html?id=2867), so exclude
33# that cipher from this test.
34# GD, 2014-07-06 so is DES-CFB1
35# GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5)
36CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' )
37
38e=0
39if [ -z "$CIPHERS" ] ; then
40    echo "'openvpn --show-ciphers' FAILED (empty list)"
41    e=1
42fi
43
44# Also test cipher 'none'
45CIPHERS=${CIPHERS}$(printf "\nnone")
46
47"${top_builddir}/src/openvpn/openvpn" --genkey secret key.$$
48set +e
49
50for cipher in ${CIPHERS}
51do
52    printf "Testing cipher ${cipher}... "
53    ( "${top_builddir}/src/openvpn/openvpn" --test-crypto --secret key.$$ --cipher ${cipher} ) >log.$$ 2>&1
54    if [ $? != 0 ] ; then
55        echo "FAILED"
56        cat log.$$
57        e=1
58    else
59        echo "OK"
60    fi
61done
62
63printf "Testing tls-crypt-v2 server key generation... "
64"${top_builddir}/src/openvpn/openvpn" \
65    --genkey tls-crypt-v2-server tc-server-key.$$ >log.$$ 2>&1
66if [ $? != 0 ] ; then
67    echo "FAILED"
68    cat log.$$
69    e=1
70else
71    echo "OK"
72fi
73
74printf "Testing tls-crypt-v2 key generation (no metadata)... "
75"${top_builddir}/src/openvpn/openvpn" --tls-crypt-v2 tc-server-key.$$ \
76    --genkey tls-crypt-v2-client tc-client-key.$$ >log.$$ 2>&1
77if [ $? != 0 ] ; then
78    echo "FAILED"
79    cat log.$$
80    e=1
81else
82    echo "OK"
83fi
84
85# Generate max-length base64 metadata ('A' is 0b000000 in base64)
86METADATA=""
87i=0
88while [ $i -lt 732 ]; do
89    METADATA="${METADATA}A"
90    i=$(expr $i + 1)
91done
92printf "Testing tls-crypt-v2 key generation (max length metadata)... "
93"${top_builddir}/src/openvpn/openvpn" --tls-crypt-v2 tc-server-key.$$ \
94    --genkey tls-crypt-v2-client tc-client-key.$$ "${METADATA}" \
95    >log.$$ 2>&1
96if [ $? != 0 ] ; then
97    echo "FAILED"
98    cat log.$$
99    e=1
100else
101    echo "OK"
102fi
103
104rm key.$$ tc-server-key.$$ tc-client-key.$$ log.$$
105trap 0
106exit $e
107