xref: /openbsd-src/regress/lib/libssl/interop/cipher/Makefile (revision 53555c846a0a6f917dbd0a191f826da995ab1c42)
1# $OpenBSD: Makefile,v 1.17 2025/01/15 10:54:17 tb Exp $
2
3# Connect a client to a server.  Both can be current libressl, or
4# openssl 1.1 or 3.0.  Create lists of supported ciphers
5# and pin client and server to one of the ciphers.  Use server
6# certificate with compatible type.  Check that client and server
7# have used correct cipher by grepping in their session print out.
8
9LIBRARIES =		libressl
10.if exists(/usr/local/bin/eopenssl33)
11LIBRARIES +=		openssl33
12.endif
13.if exists(/usr/local/bin/eopenssl34)
14LIBRARIES +=		openssl34
15.endif
16
17CLEANFILES =	*.tmp *.ciphers ciphers.mk
18
19.for clib in ${LIBRARIES}
20client-${clib}.ciphers:
21	LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
22	    ../${clib}/client -l ALL -L >$@.tmp
23	sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
24	rm $@.tmp
25.endfor
26.for slib in ${LIBRARIES}
27server-${slib}.ciphers: 127.0.0.1.crt dsa.crt ec.crt rsa.crt
28	LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
29	    ../${slib}/server -l ALL -L >$@.tmp
30	sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
31	rm $@.tmp
32.endfor
33
34.for clib in ${LIBRARIES}
35.for slib in ${LIBRARIES}
36ciphers.mk: client-${clib}-server-${slib}.ciphers
37client-${clib}-server-${slib}.ciphers: \
38    client-${clib}.ciphers server-${slib}.ciphers client-libressl.ciphers
39	# get ciphers shared between client and server
40	sort client-${clib}.ciphers server-${slib}.ciphers >$@.tmp
41	uniq -d <$@.tmp >$@
42	# we are only interested in ciphers supported by libressl
43	sort $@ client-libressl.ciphers >$@.tmp
44. if "${clib}" == "openssl33" || "${slib}" == "openssl33" || \
45	"${clib}" == "openssl34" || "${slib}" == "openssl34"
46	# OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
47	sed -i '/^TLS_/d' $@.tmp
48. endif
49	uniq -d <$@.tmp >$@
50	rm $@.tmp
51.endfor
52.endfor
53
54ciphers.mk:
55	rm -f $@ $@.tmp
56.for clib in ${LIBRARIES}
57.for slib in ${LIBRARIES}
58	echo 'CIPHERS_${clib}_${slib} =' >>$@.tmp \
59	    `cat client-${clib}-server-${slib}.ciphers`
60.endfor
61.endfor
62	mv $@.tmp $@
63
64# hack to convert generated lists into usable make variables
65.if exists(ciphers.mk)
66.include "ciphers.mk"
67.else
68regress: ciphers.mk
69	${MAKE} -C ${.CURDIR} regress
70.endif
71
72LEVEL_libressl =
73LEVEL_openssl33 = ,@SECLEVEL=0
74LEVEL_openssl34 = ,@SECLEVEL=0
75
76.for clib in ${LIBRARIES}
77.for slib in ${LIBRARIES}
78.for cipher in ${CIPHERS_${clib}_${slib}}
79
80.if "${cipher:M*-DSS-*}" != ""
81TYPE_${cipher} =	dsa
82.elif "${cipher:M*-ECDSA-*}" != ""
83TYPE_${cipher} =	ec
84.elif "${cipher:M*-RSA-*}" != ""
85TYPE_${cipher} =	rsa
86.else
87TYPE_${cipher} =	127.0.0.1
88.endif
89
90DHPARAM_${cipher}_${slib} =
91
92.if ("${clib}" == "libressl" || "${slib}" == "libressl")
93REGRESS_TARGETS +=	run-cipher-${cipher}-client-${clib}-server-${slib}
94.else
95# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow.
96SLOW_TARGETS +=	run-cipher-${cipher}-client-${clib}-server-${slib}
97.endif
98run-cipher-${cipher}-client-${clib}-server-${slib} \
99client-cipher-${cipher}-client-${clib}-server-${slib}.out \
100server-cipher-${cipher}-client-${clib}-server-${slib}.out: dh.param \
101    127.0.0.1.crt ${TYPE_${cipher}}.crt ../${clib}/client ../${slib}/server
102	LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
103	    ../${slib}/server >${@:S/^run/server/}.out \
104	    -c ${TYPE_${cipher}}.crt -k ${TYPE_${cipher}}.key \
105	    -l ${cipher}${LEVEL_${slib}} ${DHPARAM_${cipher}_${slib}} \
106	    127.0.0.1 0
107	LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
108	    ../${clib}/client >${@:S/^run/client/}.out \
109	    -l ${cipher}${LEVEL_${clib}} \
110	    `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
111	grep -q '^success$$' ${@:S/^run/server/}.out || \
112	    { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
113	grep -q '^success$$' ${@:S/^run/client/}.out
114
115.if ("${clib}" == "libressl" || "${slib}" == "libressl")
116REGRESS_TARGETS +=	check-cipher-${cipher}-client-${clib}-server-${slib}
117.else
118# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow.
119SLOW_TARGETS +=	check-cipher-${cipher}-client-${clib}-server-${slib}
120.endif
121check-cipher-${cipher}-client-${clib}-server-${slib}: \
122    client-cipher-${cipher}-client-${clib}-server-${slib}.out \
123    server-cipher-${cipher}-client-${clib}-server-${slib}.out
124.if "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3
125	# client and server 1.3 capable, not TLS 1.3 cipher
126. if "${clib}" == "libressl"
127	# libressl client may prefer chacha-poly if aes-ni is not supported
128	egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/client/}.out
129. else
130	# openssl 1.1 generic client cipher
131	grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/client/}.out
132. endif
133. if "${clib}" == "libressl"
134	# libressl client may prefer chacha-poly if aes-ni is not supported
135.  if "${slib}" == "openssl33" || "${slib}" == "openssl34"
136	egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
137.  else
138	egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
139.  endif
140. else
141	# generic server cipher
142	grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/server/}.out
143. endif
144.else
145	grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out
146	grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
147.endif
148
149.endfor
150.endfor
151.endfor
152
153.include <bsd.own.mk>
154REGRESS_SKIP_SLOW ?= no
155.if ${REGRESS_SKIP_SLOW:L} != "yes"
156REGRESS_TARGETS += ${SLOW_TARGETS}
157.endif
158
159.include <bsd.regress.mk>
160