1# $OpenBSD: Makefile,v 1.3 2019/03/28 22:24:13 bluhm Exp $
2
3# Connect a client to a server.  Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1.  Create lists of supported ciphers
5# and pin client and server to one of the ciphers.  Use server
6# certificate with compatible type.  Check that client and server
7# have used correct cipher by grepping in their session print out.
8
9check-cipher-ADH-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
10check-cipher-ADH-AES128-SHA-client-openssl11-server-openssl11 \
11check-cipher-ADH-AES128-SHA256-client-openssl11-server-openssl11 \
12check-cipher-ADH-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
13check-cipher-ADH-AES256-SHA-client-openssl11-server-openssl11 \
14check-cipher-ADH-AES256-SHA256-client-openssl11-server-openssl11 \
15check-cipher-ADH-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
16check-cipher-ADH-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
17check-cipher-ADH-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
18check-cipher-ADH-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
19check-cipher-AECDH-AES128-SHA-client-openssl11-server-openssl11 \
20check-cipher-AECDH-AES256-SHA-client-openssl11-server-openssl11 \
21check-cipher-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
22check-cipher-AES128-SHA-client-openssl11-server-openssl11 \
23check-cipher-AES128-SHA256-client-openssl11-server-openssl11 \
24check-cipher-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
25check-cipher-AES256-SHA-client-openssl11-server-openssl11 \
26check-cipher-AES256-SHA256-client-openssl11-server-openssl11 \
27check-cipher-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
28check-cipher-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
29check-cipher-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
30check-cipher-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
31check-cipher-DHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
32check-cipher-DHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
33check-cipher-DHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
34check-cipher-DHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
35check-cipher-DHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
36check-cipher-DHE-RSA-AES256-SHA256-client-openssl11-server-openssl11 \
37check-cipher-DHE-RSA-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
38check-cipher-DHE-RSA-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
39check-cipher-DHE-RSA-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
40check-cipher-DHE-RSA-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
41check-cipher-DHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
42check-cipher-ECDHE-ECDSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
43check-cipher-ECDHE-ECDSA-AES128-SHA-client-openssl11-server-openssl11 \
44check-cipher-ECDHE-ECDSA-AES128-SHA256-client-openssl11-server-openssl11 \
45check-cipher-ECDHE-ECDSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
46check-cipher-ECDHE-ECDSA-AES256-SHA-client-openssl11-server-openssl11 \
47check-cipher-ECDHE-ECDSA-AES256-SHA384-client-openssl11-server-openssl11 \
48check-cipher-ECDHE-ECDSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
49check-cipher-ECDHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
50check-cipher-ECDHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
51check-cipher-ECDHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
52check-cipher-ECDHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
53check-cipher-ECDHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
54check-cipher-ECDHE-RSA-AES256-SHA384-client-openssl11-server-openssl11 \
55check-cipher-ECDHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11:
56	# openssl11 always prints TLS_AES_256_GCM_SHA384 as cipher in out file
57	@echo DISABLED
58
59LIBRARIES =		libressl
60.if exists(/usr/local/bin/eopenssl)
61LIBRARIES +=		openssl
62.endif
63.if exists(/usr/local/bin/eopenssl11)
64LIBRARIES +=		openssl11
65.endif
66
67CLEANFILES =	*.tmp *.ciphers ciphers.mk
68
69.for clib in ${LIBRARIES}
70client-${clib}.ciphers:
71	LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
72	    ../${clib}/client -l ALL -L >$@.tmp
73	sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
74	rm $@.tmp
75.endfor
76.for slib in ${LIBRARIES}
77server-${slib}.ciphers: 127.0.0.1.crt dsa.crt ec.crt rsa.crt
78	LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
79	    ../${slib}/server -l ALL -L >$@.tmp
80	sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
81	rm $@.tmp
82.endfor
83
84.for clib in ${LIBRARIES}
85.for slib in ${LIBRARIES}
86ciphers.mk: client-${clib}-server-${slib}.ciphers
87client-${clib}-server-${slib}.ciphers: \
88    client-${clib}.ciphers server-${slib}.ciphers client-libressl.ciphers
89	# get ciphers shared between client and server
90	sort client-${clib}.ciphers server-${slib}.ciphers >$@.tmp
91	uniq -d <$@.tmp >$@
92	# we are only interested in ciphers supported by libressl
93	sort $@ client-libressl.ciphers >$@.tmp
94	uniq -d <$@.tmp >$@
95	rm $@.tmp
96.endfor
97.endfor
98
99ciphers.mk:
100	rm -f $@ $@.tmp
101.for clib in ${LIBRARIES}
102.for slib in ${LIBRARIES}
103	echo 'CIPHERS_${clib}_${slib} =' >>$@.tmp \
104	    `cat client-${clib}-server-${slib}.ciphers`
105.endfor
106.endfor
107	mv $@.tmp $@
108
109# hack to convert generated lists into usable make variables
110.if exists(ciphers.mk)
111.include "ciphers.mk"
112.else
113regress: ciphers.mk
114	${MAKE} -C ${.CURDIR} regress
115.endif
116
117LEVEL_libressl =
118LEVEL_openssl =
119LEVEL_openssl11 = ,@SECLEVEL=0
120
121.for clib in ${LIBRARIES}
122.for slib in ${LIBRARIES}
123.for cipher in ${CIPHERS_${clib}_${slib}}
124
125.if "${cipher:M*-DSS-*}" != ""
126TYPE_${cipher} =	dsa
127.elif "${cipher:M*-ECDSA-*}" != ""
128TYPE_${cipher} =	ec
129.elif "${cipher:M*-GOST89-*}" != ""
130TYPE_${cipher} =	gost
131.elif "${cipher:M*-RSA-*}" != ""
132TYPE_${cipher} =	rsa
133.else
134TYPE_${cipher} =	127.0.0.1
135.endif
136
137.if "${slib}" == "openssl" && \
138    "${cipher:MADH-*}${cipher:MEDH-*}${cipher:MDHE-*}" != ""
139DHPARAM_${cipher}_${slib} =	-p dh.param
140.else
141DHPARAM_${cipher}_${slib} =
142.endif
143
144REGRESS_TARGETS +=	run-cipher-${cipher}-client-${clib}-server-${slib}
145run-cipher-${cipher}-client-${clib}-server-${slib} \
146client-cipher-${cipher}-client-${clib}-server-${slib}.out \
147server-cipher-${cipher}-client-${clib}-server-${slib}.out: dh.param \
148    127.0.0.1.crt ${TYPE_${cipher}}.crt ../${clib}/client ../${slib}/server
149	@echo '\n======== $@ ========'
150	LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
151	    ../${slib}/server >${@:S/^run/server/}.out \
152	    -c ${TYPE_${cipher}}.crt -k ${TYPE_${cipher}}.key \
153	    -l ${cipher}${LEVEL_${slib}} ${DHPARAM_${cipher}_${slib}} \
154	    127.0.0.1 0
155	LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
156	    ../${clib}/client >${@:S/^run/client/}.out \
157	    -l ${cipher}${LEVEL_${clib}} \
158	    `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
159	grep -q '^success$$' ${@:S/^run/server/}.out || \
160	    { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
161	grep -q '^success$$' ${@:S/^run/client/}.out
162
163REGRESS_TARGETS +=	check-cipher-${cipher}-client-${clib}-server-${slib}
164check-cipher-${cipher}-client-${clib}-server-${slib}: \
165    client-cipher-${cipher}-client-${clib}-server-${slib}.out \
166    server-cipher-${cipher}-client-${clib}-server-${slib}.out
167	@echo '\n======== $@ ========'
168	grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
169	grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out
170
171.endfor
172.endfor
173.endfor
174
175.include <bsd.regress.mk>
176