Test that all supported TLS ciphers actually work. Establish

connections between client and server implemented with LibreSSL or OpenSSL with a fixed cipher on each side. Check the used cipher in the session print out.
author: bluhm <> 2019-02-21 23:06:33 +0000
committer: bluhm <> 2019-02-21 23:06:33 +0000
commit: 375349e3dab4ad23aaba1771a89b29b9525e2c0c (patch)
tree: 5867d69b31bed9067061e0a88358eda30ccc9646 /src/regress/lib/libssl/interop/cipher
parent: af474ee28c8c725580d01edcfb4f3637eb3d6ed2 (diff)
download: openbsd-375349e3dab4ad23aaba1771a89b29b9525e2c0c.tar.gz
openbsd-375349e3dab4ad23aaba1771a89b29b9525e2c0c.tar.bz2
openbsd-375349e3dab4ad23aaba1771a89b29b9525e2c0c.zip
1 files changed, 180 insertions, 0 deletions
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
new file mode 100644
index 0000000000..5593ab233f
--- /dev/null
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -0,0 +1,180 @@
+# $OpenBSD: Makefile,v 1.1 2019/02/21 23:06:33 bluhm Exp $
+# Connect a client to a server.  Both can be current libressl, or
+# openssl 1.0.2, or openssl 1.1.  Create lists of supported ciphers
+# and pin client and server to one of the ciphers.  Use server
+# certificate with compatible type.  Check that client and server
+# have used correct cipher by grepping in their session print out.
+check-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl:
+        # cipher GOST2012256-GOST89-GOST89 is used in out file
+        # TODO: figure out why it is not GOST2001
+        @echo DISABLED
+check-cipher-ADH-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
+check-cipher-ADH-AES128-SHA-client-openssl11-server-openssl11 \
+check-cipher-ADH-AES128-SHA256-client-openssl11-server-openssl11 \
+check-cipher-ADH-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
+check-cipher-ADH-AES256-SHA-client-openssl11-server-openssl11 \
+check-cipher-ADH-AES256-SHA256-client-openssl11-server-openssl11 \
+check-cipher-ADH-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
+check-cipher-ADH-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
+check-cipher-ADH-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
+check-cipher-ADH-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
+check-cipher-AECDH-AES128-SHA-client-openssl11-server-openssl11 \
+check-cipher-AECDH-AES256-SHA-client-openssl11-server-openssl11 \
+check-cipher-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
+check-cipher-AES128-SHA-client-openssl11-server-openssl11 \
+check-cipher-AES128-SHA256-client-openssl11-server-openssl11 \
+check-cipher-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
+check-cipher-AES256-SHA-client-openssl11-server-openssl11 \
+check-cipher-AES256-SHA256-client-openssl11-server-openssl11 \
+check-cipher-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
+check-cipher-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
+check-cipher-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
+check-cipher-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
+check-cipher-DHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
+check-cipher-DHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
+check-cipher-DHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
+check-cipher-DHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
+check-cipher-DHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
+check-cipher-DHE-RSA-AES256-SHA256-client-openssl11-server-openssl11 \
+check-cipher-DHE-RSA-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
+check-cipher-DHE-RSA-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
+check-cipher-DHE-RSA-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
+check-cipher-DHE-RSA-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
+check-cipher-DHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-ECDSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-ECDSA-AES128-SHA-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-ECDSA-AES128-SHA256-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-ECDSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-ECDSA-AES256-SHA-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-ECDSA-AES256-SHA384-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-ECDSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-RSA-AES256-SHA384-client-openssl11-server-openssl11 \
+check-cipher-ECDHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11:
+        # openssl11 always prints TLS_AES_256_GCM_SHA384 as cipher in out file
+        @echo DISABLED
+LIBRARIES =             libressl
+.if exists(/usr/local/bin/eopenssl)
+LIBRARIES +=            openssl
+.endif
+.if exists(/usr/local/bin/eopenssl11)
+LIBRARIES +=            openssl11
+.endif
+CLEANFILES =    *.tmp *.ciphers ciphers.mk
+.for clib in ${LIBRARIES}
+client-${clib}.ciphers:
+        LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
+            ../${clib}/client -l ALL -L >$@.tmp
+        sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
+        rm $@.tmp
+.endfor
+.for slib in ${LIBRARIES}
+server-${slib}.ciphers: 127.0.0.1.crt dsa.crt ec.crt rsa.crt
+        LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
+            ../${slib}/server -l ALL -L >$@.tmp
+        sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
+        rm $@.tmp
+.endfor
+.for clib in ${LIBRARIES}
+.for slib in ${LIBRARIES}
+ciphers.mk: client-${clib}-server-${slib}.ciphers
+client-${clib}-server-${slib}.ciphers: \
+    client-${clib}.ciphers server-${slib}.ciphers client-libressl.ciphers
+        # get ciphers shared between client and server
+        sort client-${clib}.ciphers server-${slib}.ciphers >$@.tmp
+        uniq -d <$@.tmp >$@
+        # we are only interested in cipers supported by libressl
+        sort $@ client-libressl.ciphers >$@.tmp
+        uniq -d <$@.tmp >$@
+        rm $@.tmp
+.endfor
+.endfor
+ciphers.mk:
+        rm -f $@ $@.tmp
+.for clib in ${LIBRARIES}
+.for slib in ${LIBRARIES}
+        echo 'CIPHERS_${clib}_${slib} =' >>$@.tmp \
+            `cat client-${clib}-server-${slib}.ciphers`
+.endfor
+.endfor
+        mv $@.tmp $@
+# hack to convert generated lists into usable make variables
+.if exists(ciphers.mk)
+.include "ciphers.mk"
+.else
+regress: ciphers.mk
+        ${MAKE} -C ${.CURDIR} regress
+.endif
+LEVEL_libressl =
+LEVEL_openssl =
+LEVEL_openssl11 = ,@SECLEVEL=0
+.for clib in ${LIBRARIES}
+.for slib in ${LIBRARIES}
+.for cipher in ${CIPHERS_${clib}_${slib}}
+.if "${cipher:M*-DSS-*}" != ""
+TYPE_${cipher} =        dsa
+.elif "${cipher:M*-ECDSA-*}" != ""
+TYPE_${cipher} =        ec
+.elif "${cipher:M*-GOST89-*}" != ""
+TYPE_${cipher} =        gost
+.elif "${cipher:M*-RSA-*}" != ""
+TYPE_${cipher} =        rsa
+.else
+TYPE_${cipher} =        127.0.0.1
+.endif
+.if "${slib}" == "openssl" && \
+    "${cipher:MADH-*}${cipher:MEDH-*}${cipher:MDHE-*}" != ""
+DHPARAM_${cipher}_${slib} =     -p dh.param
+.else
+DHPARAM_${cipher}_${slib} =
+.endif
+REGRESS_TARGETS +=      run-cipher-${cipher}-client-${clib}-server-${slib}
+run-cipher-${cipher}-client-${clib}-server-${slib} \
+client-cipher-${cipher}-client-${clib}-server-${slib}.out \
+server-cipher-${cipher}-client-${clib}-server-${slib}.out: dh.param \
+    127.0.0.1.crt ${TYPE_${cipher}}.crt ../${clib}/client ../${slib}/server
+        @echo '\n======== $@ ========'
+        LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
+            ../${slib}/server >${@:S/^run/server/}.out \
+            -c ${TYPE_${cipher}}.crt -k ${TYPE_${cipher}}.key \
+            -l ${cipher}${LEVEL_${slib}} ${DHPARAM_${cipher}_${slib}} \
+            127.0.0.1 0
+        LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
+            ../${clib}/client >${@:S/^run/client/}.out \
+            -l ${cipher}${LEVEL_${clib}} \
+            `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
+        grep -q '^success$$' ${@:S/^run/server/}.out || \
+            { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
+        grep -q '^success$$' ${@:S/^run/client/}.out
+REGRESS_TARGETS +=      check-cipher-${cipher}-client-${clib}-server-${slib}
+check-cipher-${cipher}-client-${clib}-server-${slib}: \
+    client-cipher-${cipher}-client-${clib}-server-${slib}.out \
+    server-cipher-${cipher}-client-${clib}-server-${slib}.out
+        @echo '\n======== $@ ========'
+        grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
+        grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out
+.endfor
+.endfor
+.endfor
+.include <bsd.regress.mk>
author	bluhm <>	2019-02-21 23:06:33 +0000
committer	bluhm <>	2019-02-21 23:06:33 +0000
commit	375349e3dab4ad23aaba1771a89b29b9525e2c0c (patch)
tree	5867d69b31bed9067061e0a88358eda30ccc9646 /src/regress/lib/libssl/interop/cipher
parent	af474ee28c8c725580d01edcfb4f3637eb3d6ed2 (diff)
download	openbsd-375349e3dab4ad23aaba1771a89b29b9525e2c0c.tar.gz openbsd-375349e3dab4ad23aaba1771a89b29b9525e2c0c.tar.bz2 openbsd-375349e3dab4ad23aaba1771a89b29b9525e2c0c.zip

diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile new file mode 100644 index 0000000000..5593ab233f --- /dev/null +++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -0,0 +1,180 @@
	1	# $OpenBSD: Makefile,v 1.1 2019/02/21 23:06:33 bluhm Exp $
	2
	3	# Connect a client to a server. Both can be current libressl, or
	4	# openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers
	5	# and pin client and server to one of the ciphers. Use server
	6	# certificate with compatible type. Check that client and server
	7	# have used correct cipher by grepping in their session print out.
	8
	9	check-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl:
	10	# cipher GOST2012256-GOST89-GOST89 is used in out file
	11	# TODO: figure out why it is not GOST2001
	12	@echo DISABLED
	13
	14	check-cipher-ADH-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
	15	check-cipher-ADH-AES128-SHA-client-openssl11-server-openssl11 \
	16	check-cipher-ADH-AES128-SHA256-client-openssl11-server-openssl11 \
	17	check-cipher-ADH-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
	18	check-cipher-ADH-AES256-SHA-client-openssl11-server-openssl11 \
	19	check-cipher-ADH-AES256-SHA256-client-openssl11-server-openssl11 \
	20	check-cipher-ADH-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
	21	check-cipher-ADH-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
	22	check-cipher-ADH-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
	23	check-cipher-ADH-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
	24	check-cipher-AECDH-AES128-SHA-client-openssl11-server-openssl11 \
	25	check-cipher-AECDH-AES256-SHA-client-openssl11-server-openssl11 \
	26	check-cipher-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
	27	check-cipher-AES128-SHA-client-openssl11-server-openssl11 \
	28	check-cipher-AES128-SHA256-client-openssl11-server-openssl11 \
	29	check-cipher-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
	30	check-cipher-AES256-SHA-client-openssl11-server-openssl11 \
	31	check-cipher-AES256-SHA256-client-openssl11-server-openssl11 \
	32	check-cipher-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
	33	check-cipher-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
	34	check-cipher-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
	35	check-cipher-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
	36	check-cipher-DHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
	37	check-cipher-DHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
	38	check-cipher-DHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
	39	check-cipher-DHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
	40	check-cipher-DHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
	41	check-cipher-DHE-RSA-AES256-SHA256-client-openssl11-server-openssl11 \
	42	check-cipher-DHE-RSA-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
	43	check-cipher-DHE-RSA-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
	44	check-cipher-DHE-RSA-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
	45	check-cipher-DHE-RSA-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
	46	check-cipher-DHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
	47	check-cipher-ECDHE-ECDSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
	48	check-cipher-ECDHE-ECDSA-AES128-SHA-client-openssl11-server-openssl11 \
	49	check-cipher-ECDHE-ECDSA-AES128-SHA256-client-openssl11-server-openssl11 \
	50	check-cipher-ECDHE-ECDSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
	51	check-cipher-ECDHE-ECDSA-AES256-SHA-client-openssl11-server-openssl11 \
	52	check-cipher-ECDHE-ECDSA-AES256-SHA384-client-openssl11-server-openssl11 \
	53	check-cipher-ECDHE-ECDSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
	54	check-cipher-ECDHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
	55	check-cipher-ECDHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
	56	check-cipher-ECDHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
	57	check-cipher-ECDHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
	58	check-cipher-ECDHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
	59	check-cipher-ECDHE-RSA-AES256-SHA384-client-openssl11-server-openssl11 \
	60	check-cipher-ECDHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11:
	61	# openssl11 always prints TLS_AES_256_GCM_SHA384 as cipher in out file
	62	@echo DISABLED
	63
	64	LIBRARIES = libressl
	65	.if exists(/usr/local/bin/eopenssl)
	66	LIBRARIES += openssl
	67	.endif
	68	.if exists(/usr/local/bin/eopenssl11)
	69	LIBRARIES += openssl11
	70	.endif
	71
	72	CLEANFILES = .tmp .ciphers ciphers.mk
	73
	74	.for clib in ${LIBRARIES}
	75	client-${clib}.ciphers:
	76	LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
	77	../${clib}/client -l ALL -L >$@.tmp
	78	sed -n 's/^cipher //p' <$@.tmp \| sort -u >$@
	79	rm $@.tmp
	80	.endfor
	81	.for slib in ${LIBRARIES}
	82	server-${slib}.ciphers: 127.0.0.1.crt dsa.crt ec.crt rsa.crt
	83	LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
	84	../${slib}/server -l ALL -L >$@.tmp
	85	sed -n 's/^cipher //p' <$@.tmp \| sort -u >$@
	86	rm $@.tmp
	87	.endfor
	88
	89	.for clib in ${LIBRARIES}
	90	.for slib in ${LIBRARIES}
	91	ciphers.mk: client-${clib}-server-${slib}.ciphers
	92	client-${clib}-server-${slib}.ciphers: \
	93	client-${clib}.ciphers server-${slib}.ciphers client-libressl.ciphers
	94	# get ciphers shared between client and server
	95	sort client-${clib}.ciphers server-${slib}.ciphers >$@.tmp
	96	uniq -d <$@.tmp >$@
	97	# we are only interested in cipers supported by libressl
	98	sort $@ client-libressl.ciphers >$@.tmp
	99	uniq -d <$@.tmp >$@
	100	rm $@.tmp
	101	.endfor
	102	.endfor
	103
	104	ciphers.mk:
	105	rm -f $@ $@.tmp
	106	.for clib in ${LIBRARIES}
	107	.for slib in ${LIBRARIES}
	108	echo 'CIPHERS_${clib}_${slib} =' >>$@.tmp \
	109	`cat client-${clib}-server-${slib}.ciphers`
	110	.endfor
	111	.endfor
	112	mv $@.tmp $@
	113
	114	# hack to convert generated lists into usable make variables
	115	.if exists(ciphers.mk)
	116	.include "ciphers.mk"
	117	.else
	118	regress: ciphers.mk
	119	${MAKE} -C ${.CURDIR} regress
	120	.endif
	121
	122	LEVEL_libressl =
	123	LEVEL_openssl =
	124	LEVEL_openssl11 = ,@SECLEVEL=0
	125
	126	.for clib in ${LIBRARIES}
	127	.for slib in ${LIBRARIES}
	128	.for cipher in ${CIPHERS_${clib}_${slib}}
	129
	130	.if "${cipher:M-DSS-}" != ""
	131	TYPE_${cipher} = dsa
	132	.elif "${cipher:M-ECDSA-}" != ""
	133	TYPE_${cipher} = ec
	134	.elif "${cipher:M-GOST89-}" != ""
	135	TYPE_${cipher} = gost
	136	.elif "${cipher:M-RSA-}" != ""
	137	TYPE_${cipher} = rsa
	138	.else
	139	TYPE_${cipher} = 127.0.0.1
	140	.endif
	141
	142	.if "${slib}" == "openssl" && \
	143	"${cipher:MADH-}${cipher:MEDH-}${cipher:MDHE-*}" != ""
	144	DHPARAM_${cipher}_${slib} = -p dh.param
	145	.else
	146	DHPARAM_${cipher}_${slib} =
	147	.endif
	148
	149	REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib}
	150	run-cipher-${cipher}-client-${clib}-server-${slib} \
	151	client-cipher-${cipher}-client-${clib}-server-${slib}.out \
	152	server-cipher-${cipher}-client-${clib}-server-${slib}.out: dh.param \
	153	127.0.0.1.crt ${TYPE_${cipher}}.crt ../${clib}/client ../${slib}/server
	154	@echo '\n======== $@ ========'
	155	LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
	156	../${slib}/server >${@:S/^run/server/}.out \
	157	-c ${TYPE_${cipher}}.crt -k ${TYPE_${cipher}}.key \
	158	-l ${cipher}${LEVEL_${slib}} ${DHPARAM_${cipher}_${slib}} \
	159	127.0.0.1 0
	160	LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
	161	../${clib}/client >${@:S/^run/client/}.out \
	162	-l ${cipher}${LEVEL_${clib}} \
	163	`sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
	164	grep -q '^success$$' ${@:S/^run/server/}.out \|\| \
	165	{ sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
	166	grep -q '^success$$' ${@:S/^run/client/}.out
	167
	168	REGRESS_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib}
	169	check-cipher-${cipher}-client-${clib}-server-${slib}: \
	170	client-cipher-${cipher}-client-${clib}-server-${slib}.out \
	171	server-cipher-${cipher}-client-${clib}-server-${slib}.out
	172	@echo '\n======== $@ ========'
	173	grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
	174	grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out
	175
	176	.endfor
	177	.endfor
	178	.endfor
	179
	180	.include <bsd.regress.mk>