1# $OpenBSD: Makefile,v 1.14 2025/01/15 10:54:17 tb Exp $
2
3# Connect a client to a server.  Both can be current libressl, or
4# openssl 3.x.  Create client and server certificates
5# that are signed by a CA and not signed by a fake CA.  Try all
6# combinations with, without, and with wrong CA for client and server
7# and check the result of certificate verification.
8
9LIBRARIES =		libressl
10.if exists(/usr/local/bin/eopenssl33)
11LIBRARIES +=		openssl33
12.endif
13.if exists(/usr/local/bin/eopenssl34)
14LIBRARIES +=		openssl34
15.endif
16
17.for cca in noca ca fakeca
18.for sca in noca ca fakeca
19.for ccert in nocert cert
20.for scert in nocert cert
21.for cv in noverify verify
22.for sv in noverify verify certverify
23
24# remember when certificate verification should fail
25.if (("${cv}" == verify && "${cca}" == ca && "${scert}" == cert) || \
26    "${cv}" == noverify) && \
27    (("${sv}" == verify && "${ccert}" == nocert) || \
28    ("${sv}" == verify && "${sca}" == ca && "${ccert}" == cert) || \
29    ("${sv}" == certverify && "${sca}" == ca && "${ccert}" == cert) || \
30    "${sv}" == noverify)
31FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv} =
32.else
33FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv} = !
34.endif
35
36.for clib in ${LIBRARIES}
37.for slib in ${LIBRARIES}
38
39.if ("${clib}" == "libressl" || "${slib}" == "libressl")
40REGRESS_TARGETS +=	run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}
41.else
42# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow.
43SLOW_TARGETS +=	run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}
44.endif
45
46run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}: \
47    127.0.0.1.crt ca.crt fake-ca.crt client.crt server.crt \
48    ../${clib}/client ../${slib}/server
49	LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
50	    ../${slib}/server >${@:S/^run/server/}.out \
51	    ${sca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \
52	    ${scert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \
53	    ${sv:S/^noverify//:S/^verify/-v/:S/^certverify/-vv/} \
54	    127.0.0.1 0
55	${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}} \
56	    LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
57	    ../${clib}/client >${@:S/^run/client/}.out \
58	    ${cca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \
59	    ${ccert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \
60	    ${cv:S/^noverify//:S/^verify/-v/} \
61	    `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
62.if empty(${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}})
63	grep '^success$$' ${@:S/^run/server/}.out || \
64	    { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; }
65	grep '^success$$' ${@:S/^run/client/}.out
66.elif ! ("${sv}" == certverify && "${ccert}" == nocert) || \
67    ("${cv}" == verify && "${scert}" != cert)
68	grep '^verify: fail' ${@:S/^run/client/}.out ${@:S/^run/server/}.out
69.endif
70
71.endfor
72.endfor
73.endfor
74.endfor
75.endfor
76.endfor
77.endfor
78.endfor
79
80.include <bsd.own.mk>
81REGRESS_SKIP_SLOW ?= no
82.if ${REGRESS_SKIP_SLOW:L} != "yes"
83REGRESS_TARGETS += ${SLOW_TARGETS}
84.endif
85
86REGRESS_TARGETS +=	run-bob
87run-bob:
88	@echo Bob, be happy!  Tests finished.
89
90# argument list too long for a single rm *
91
92clean: _SUBDIRUSE
93	rm -f client-*.out
94	rm -f server-*.out
95	rm -f a.out [Ee]rrs mklog *.core y.tab.h \
96	    ${PROG} ${PROGS} ${OBJS} ${_LEXINTM} ${_YACCINTM} ${CLEANFILES}
97
98.include <bsd.regress.mk>
99