3 # t_lpback.sh - script to test OpenVPN's crypto loopback
4 # Copyright (C) 2005 Matthias Andree
5 # Copyright (C) 2014 Steffan Karger
7 # This program is free software; you can redistribute it and/or
8 # modify it under the terms of the GNU General Public License
9 # as published by the Free Software Foundation; either version 2
10 # of the License, or (at your option) any later version.
12 # This program is distributed in the hope that it will be useful,
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with this program; if not, write to the Free Software
19 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
23 top_builddir
="${top_builddir:-..}"
24 openvpn
="${openvpn:-${top_builddir}/src/openvpn/openvpn}"
25 trap "rm -f key.$$ tc-server-key.$$ tc-client-key.$$ log.$$ ; trap 0 ; exit 77" 1 2 15
26 trap "rm -f key.$$ tc-server-key.$$ tc-client-key.$$ log.$$ ; exit 1" 0 3
28 # verbosity, defaults to "1"
33 # ----------------------------------------------------------
35 # ----------------------------------------------------------
37 # output progress information
38 # depending on verbosity level, collect & print only on failure
42 0) outbuf
="" ;; # no per-test output at all
43 1) outbuf
="$@" ;; # compact, details only on failure
44 *) printf "$@" ;; # print all
53 0) ;; # no per-test output
54 1) echo "$outbuf" "FAIL (RC=$RC)"; cat $LOG ;;
55 *) echo "FAIL (RC=$RC)"; cat $LOG ;;
58 tests_failed
=$
(( $tests_failed + 1 ))
61 0|
1) ;; # no per-test output for 'OK'
62 *) echo "OK" # print all
64 tests_passed
=$
(( $tests_passed + 1 ))
68 # if running with V=1, give an indication what test runs now
69 if [ "$V" = 1 ] ; then
70 echo "$0: running with V=$V, only printing test fails"
74 # Get list of supported ciphers from openvpn --show-ciphers output
75 CIPHERS
=$
(${openvpn} --show-ciphers | \
76 sed -e '/The following/,/^$/d' -e s
'/ .*//' -e '/^[[:space:]]*$/d')
78 # SK, 2014-06-04: currently the DES-EDE3-CFB1 implementation of OpenSSL is
79 # broken (see http://rt.openssl.org/Ticket/Display.html?id=2867), so exclude
80 # that cipher from this test.
81 # GD, 2014-07-06 so is DES-CFB1
82 # GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5)
83 CIPHERS
=$
(echo "$CIPHERS" |
egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' )
86 if [ -z "$CIPHERS" ] ; then
87 echo "'openvpn --show-ciphers' FAILED (empty list)"
91 # Also test cipher 'none'
92 CIPHERS
=${CIPHERS}$
(printf "\nnone")
94 "${openvpn}" --genkey secret key.$$
97 for cipher
in ${CIPHERS}
99 test_start
"Testing cipher ${cipher}... "
100 ( "${openvpn}" --test-crypto --secret key.$$
--allow-deprecated-insecure-static-crypto --cipher ${cipher} ) >log.$$
2>&1
104 test_start
"Testing tls-crypt-v2 server key generation... "
106 --genkey tls-crypt-v2-server tc-server-key.$$
>log.$$
2>&1
109 test_start
"Testing tls-crypt-v2 key generation (no metadata)... "
110 "${openvpn}" --tls-crypt-v2 tc-server-key.$$ \
111 --genkey tls-crypt-v2-client tc-client-key.$$
>log.$$
2>&1
114 # Generate max-length base64 metadata ('A' is 0b000000 in base64)
117 while [ $i -lt 732 ]; do
118 METADATA
="${METADATA}A"
121 test_start
"Testing tls-crypt-v2 key generation (max length metadata)... "
122 "${openvpn}" --tls-crypt-v2 tc-server-key.$$ \
123 --genkey tls-crypt-v2-client tc-client-key.$$
"${METADATA}" \
127 if [ "$V" -ge 1 ] ; then
128 echo "$0: tests passed: $tests_passed failed: $tests_failed"
131 rm key.$$ tc-server-key.$$ tc-client-key.$$ log.$$