1# $OpenBSD: Makefile,v 1.17 2025/01/15 10:54:17 tb Exp $ 2 3# Connect a client to a server. Both can be current libressl, or 4# openssl 1.1 or 3.0. Create lists of supported ciphers 5# and pin client and server to one of the ciphers. Use server 6# certificate with compatible type. Check that client and server 7# have used correct cipher by grepping in their session print out. 8 9LIBRARIES = libressl 10.if exists(/usr/local/bin/eopenssl33) 11LIBRARIES += openssl33 12.endif 13.if exists(/usr/local/bin/eopenssl34) 14LIBRARIES += openssl34 15.endif 16 17CLEANFILES = *.tmp *.ciphers ciphers.mk 18 19.for clib in ${LIBRARIES} 20client-${clib}.ciphers: 21 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ 22 ../${clib}/client -l ALL -L >$@.tmp 23 sed -n 's/^cipher //p' <$@.tmp | sort -u >$@ 24 rm $@.tmp 25.endfor 26.for slib in ${LIBRARIES} 27server-${slib}.ciphers: 127.0.0.1.crt dsa.crt ec.crt rsa.crt 28 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ 29 ../${slib}/server -l ALL -L >$@.tmp 30 sed -n 's/^cipher //p' <$@.tmp | sort -u >$@ 31 rm $@.tmp 32.endfor 33 34.for clib in ${LIBRARIES} 35.for slib in ${LIBRARIES} 36ciphers.mk: client-${clib}-server-${slib}.ciphers 37client-${clib}-server-${slib}.ciphers: \ 38 client-${clib}.ciphers server-${slib}.ciphers client-libressl.ciphers 39 # get ciphers shared between client and server 40 sort client-${clib}.ciphers server-${slib}.ciphers >$@.tmp 41 uniq -d <$@.tmp >$@ 42 # we are only interested in ciphers supported by libressl 43 sort $@ client-libressl.ciphers >$@.tmp 44. if "${clib}" == "openssl33" || "${slib}" == "openssl33" || \ 45 "${clib}" == "openssl34" || "${slib}" == "openssl34" 46 # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers 47 sed -i '/^TLS_/d' $@.tmp 48. endif 49 uniq -d <$@.tmp >$@ 50 rm $@.tmp 51.endfor 52.endfor 53 54ciphers.mk: 55 rm -f $@ $@.tmp 56.for clib in ${LIBRARIES} 57.for slib in ${LIBRARIES} 58 echo 'CIPHERS_${clib}_${slib} =' >>$@.tmp \ 59 `cat client-${clib}-server-${slib}.ciphers` 60.endfor 61.endfor 62 mv $@.tmp $@ 63 64# hack to convert generated lists into usable make variables 65.if exists(ciphers.mk) 66.include "ciphers.mk" 67.else 68regress: ciphers.mk 69 ${MAKE} -C ${.CURDIR} regress 70.endif 71 72LEVEL_libressl = 73LEVEL_openssl33 = ,@SECLEVEL=0 74LEVEL_openssl34 = ,@SECLEVEL=0 75 76.for clib in ${LIBRARIES} 77.for slib in ${LIBRARIES} 78.for cipher in ${CIPHERS_${clib}_${slib}} 79 80.if "${cipher:M*-DSS-*}" != "" 81TYPE_${cipher} = dsa 82.elif "${cipher:M*-ECDSA-*}" != "" 83TYPE_${cipher} = ec 84.elif "${cipher:M*-RSA-*}" != "" 85TYPE_${cipher} = rsa 86.else 87TYPE_${cipher} = 127.0.0.1 88.endif 89 90DHPARAM_${cipher}_${slib} = 91 92.if ("${clib}" == "libressl" || "${slib}" == "libressl") 93REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib} 94.else 95# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow. 96SLOW_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib} 97.endif 98run-cipher-${cipher}-client-${clib}-server-${slib} \ 99client-cipher-${cipher}-client-${clib}-server-${slib}.out \ 100server-cipher-${cipher}-client-${clib}-server-${slib}.out: dh.param \ 101 127.0.0.1.crt ${TYPE_${cipher}}.crt ../${clib}/client ../${slib}/server 102 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ 103 ../${slib}/server >${@:S/^run/server/}.out \ 104 -c ${TYPE_${cipher}}.crt -k ${TYPE_${cipher}}.key \ 105 -l ${cipher}${LEVEL_${slib}} ${DHPARAM_${cipher}_${slib}} \ 106 127.0.0.1 0 107 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ 108 ../${clib}/client >${@:S/^run/client/}.out \ 109 -l ${cipher}${LEVEL_${clib}} \ 110 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out` 111 grep -q '^success$$' ${@:S/^run/server/}.out || \ 112 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; } 113 grep -q '^success$$' ${@:S/^run/client/}.out 114 115.if ("${clib}" == "libressl" || "${slib}" == "libressl") 116REGRESS_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib} 117.else 118# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow. 119SLOW_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib} 120.endif 121check-cipher-${cipher}-client-${clib}-server-${slib}: \ 122 client-cipher-${cipher}-client-${clib}-server-${slib}.out \ 123 server-cipher-${cipher}-client-${clib}-server-${slib}.out 124.if "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3 125 # client and server 1.3 capable, not TLS 1.3 cipher 126. if "${clib}" == "libressl" 127 # libressl client may prefer chacha-poly if aes-ni is not supported 128 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/client/}.out 129. else 130 # openssl 1.1 generic client cipher 131 grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/client/}.out 132. endif 133. if "${clib}" == "libressl" 134 # libressl client may prefer chacha-poly if aes-ni is not supported 135. if "${slib}" == "openssl33" || "${slib}" == "openssl34" 136 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out 137. else 138 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out 139. endif 140. else 141 # generic server cipher 142 grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/server/}.out 143. endif 144.else 145 grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out 146 grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out 147.endif 148 149.endfor 150.endfor 151.endfor 152 153.include <bsd.own.mk> 154REGRESS_SKIP_SLOW ?= no 155.if ${REGRESS_SKIP_SLOW:L} != "yes" 156REGRESS_TARGETS += ${SLOW_TARGETS} 157.endif 158 159.include <bsd.regress.mk> 160