Add support for OpenSSL 3.1 interop tests

Until OpenSSL 3.1 has replaced OpenSSL 3.0 on most architectures, run both tests. Installed packages of OpenSSL 3.0 will update automatically to 3.1, so regress runners should not need to do anything.
author: tb <> 2023-10-30 17:15:21 +0000
committer: tb <> 2023-10-30 17:15:21 +0000
commit: bc08093d61a7c129c8e10c0201e9f3ab3167593f (patch)
tree: c5fce117c872d075f932d494bd786f9804e73c8c
parent: e961968230ef9656870099b75ce61f5a340c5b06 (diff)
download: openbsd-bc08093d61a7c129c8e10c0201e9f3ab3167593f.tar.gz
openbsd-bc08093d61a7c129c8e10c0201e9f3ab3167593f.tar.bz2
openbsd-bc08093d61a7c129c8e10c0201e9f3ab3167593f.zip
8 files changed, 74 insertions, 11 deletions
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
index 72dc87b5c2..82bef2314d 100644
--- a/src/regress/lib/libssl/interop/Makefile
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,6 +1,6 @@
-# $OpenBSD: Makefile,v 1.17 2023/02/01 14:39:09 tb Exp $
+# $OpenBSD: Makefile,v 1.18 2023/10/30 17:15:21 tb Exp $
-SUBDIR =        libressl openssl11 openssl30
+SUBDIR =        libressl openssl11 openssl30 openssl31
 # the above binaries must have been built before we can continue
 SUBDIR +=       netcat
diff --git a/src/regress/lib/libssl/interop/botan/Makefile b/src/regress/lib/libssl/interop/botan/Makefile
index 23f8a07bf4..b9570b815a 100644
--- a/src/regress/lib/libssl/interop/botan/Makefile
+++ b/src/regress/lib/libssl/interop/botan/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.6 2023/02/01 15:58:20 tb Exp $
+# $OpenBSD: Makefile,v 1.7 2023/10/30 17:15:21 tb Exp $
 .include <bsd.own.mk>
@@ -26,6 +26,9 @@ LIBRARIES +=		openssl11
 .if exists(/usr/local/bin/eopenssl30)
 LIBRARIES +=            openssl30
 .endif
+.if exists(/usr/local/bin/eopenssl31)
+LIBRARIES +=            openssl31
+.endif
 PROGS =         client
 SRCS_client =   client.cpp
diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile
index 47f4422d6e..ae755be223 100644
--- a/src/regress/lib/libssl/interop/cert/Makefile
+++ b/src/regress/lib/libssl/interop/cert/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.10 2023/04/19 15:34:23 tb Exp $
+# $OpenBSD: Makefile,v 1.11 2023/10/30 17:15:21 tb Exp $
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or 3.0.  Create client and server certificates
@@ -13,6 +13,9 @@ LIBRARIES +=		openssl11
 .if exists(/usr/local/bin/eopenssl30)
 LIBRARIES +=            openssl30
 .endif
+.if exists(/usr/local/bin/eopenssl31)
+LIBRARIES +=            openssl31
+.endif
 .for cca in noca ca fakeca
 .for sca in noca ca fakeca
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
index 85d927a92d..627cfc8f9f 100644
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.12 2023/04/19 15:34:23 tb Exp $
+# $OpenBSD: Makefile,v 1.13 2023/10/30 17:15:21 tb Exp $
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or 3.0.  Create lists of supported ciphers
@@ -24,6 +24,9 @@ LIBRARIES +=		openssl11
 .if exists(/usr/local/bin/eopenssl30)
 LIBRARIES +=            openssl30
 .endif
+.if exists(/usr/local/bin/eopenssl31)
+LIBRARIES +=            openssl31
+.endif
 CLEANFILES =    *.tmp *.ciphers ciphers.mk
@@ -53,7 +56,8 @@ client-${clib}-server-${slib}.ciphers: \
        # we are only interested in ciphers supported by libressl
        sort $@ client-libressl.ciphers >$@.tmp
 . if "${clib}" == "openssl11" || "${slib}" == "openssl11" || \
-        "${clib}" == "openssl30" || "${slib}" == "openssl30"
+        "${clib}" == "openssl30" || "${slib}" == "openssl30" || \
+        "${clib}" == "openssl31" || "${slib}" == "openssl31"
        # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
        sed -i '/^TLS_/d' $@.tmp
 . endif
@@ -145,7 +149,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \
 . endif
 . if "${clib}" == "libressl"
        # libressl client may prefer chacha-poly if aes-ni is not supported
-.  if "${slib}" == "openssl11" || "${slib}" == "openssl30"
+.  if "${slib}" == "openssl11" || "${slib}" == "openssl30" || "${slib}" == "openssl31"
        egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
 .  else
        egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
diff --git a/src/regress/lib/libssl/interop/netcat/Makefile b/src/regress/lib/libssl/interop/netcat/Makefile
index 9cf10417af..568c4d255a 100644
--- a/src/regress/lib/libssl/interop/netcat/Makefile
+++ b/src/regress/lib/libssl/interop/netcat/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.6 2023/02/01 15:38:57 tb Exp $
+# $OpenBSD: Makefile,v 1.7 2023/10/30 17:15:21 tb Exp $
 LIBRARIES =             libressl
 .if exists(/usr/local/bin/eopenssl11)
@@ -7,6 +7,9 @@ LIBRARIES +=		openssl11
 .if exists(/usr/local/bin/eopenssl30)
 LIBRARIES +=            openssl30
 .endif
+.if exists(/usr/local/bin/eopenssl31)
+LIBRARIES +=            openssl31
+.endif
 # run netcat server and connect with test client
diff --git a/src/regress/lib/libssl/interop/openssl31/Makefile b/src/regress/lib/libssl/interop/openssl31/Makefile
new file mode 100644
index 0000000000..8f35fa272f
--- /dev/null
+++ b/src/regress/lib/libssl/interop/openssl31/Makefile
@@ -0,0 +1,43 @@
+# $OpenBSD: Makefile,v 1.1 2023/10/30 17:15:21 tb Exp $
+.if !exists(/usr/local/bin/eopenssl31)
+regress:
+        # install openssl-3.1 from ports for interop tests
+        @echo 'Run "pkg_add openssl--%3.1" to run tests against OpenSSL 3.1'
+        @echo SKIPPED
+.else
+PROGS =                 client server
+CPPFLAGS =              -I /usr/local/include/eopenssl31
+LDFLAGS =               -L /usr/local/lib/eopenssl31
+LDADD =                 -lssl -lcrypto
+DPADD =                 /usr/local/lib/eopenssl31/libssl.a \
+                        /usr/local/lib/eopenssl31/libcrypto.a
+LD_LIBRARY_PATH =       /usr/local/lib/eopenssl31
+REGRESS_TARGETS =       run-self-client-server
+.for p in ${PROGS}
+REGRESS_TARGETS +=      run-ldd-$p run-version-$p run-protocol-$p
+.endfor
+.for p in ${PROGS}
+run-ldd-$p: ldd-$p.out
+        # check that $p is linked with OpenSSL 3.1
+        grep -q /usr/local/lib/eopenssl31/libcrypto.so ldd-$p.out
+        grep -q /usr/local/lib/eopenssl31/libssl.so ldd-$p.out
+        # check that $p is not linked with LibreSSL
+        ! grep -v libc.so ldd-$p.out | grep /usr/lib/
+run-version-$p: $p-self.out
+        # check that runtime version is OpenSSL 3.1
+        grep 'SSLEAY_VERSION: OpenSSL 3.1' $p-self.out
+run-protocol-$p: $p-self.out
+        # check that OpenSSL 3.1 protocol version is TLS 1.3
+        grep 'Protocol *: TLSv1.3' $p-self.out
+.endfor
+.endif # exists(/usr/local/bin/eopenssl31)
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile
index f5858eaba0..99daa4ba4f 100644
--- a/src/regress/lib/libssl/interop/session/Makefile
+++ b/src/regress/lib/libssl/interop/session/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.8 2023/02/01 16:03:47 tb Exp $
+# $OpenBSD: Makefile,v 1.9 2023/10/30 17:15:21 tb Exp $
 LIBRARIES =             libressl
 .if exists(/usr/local/bin/eopenssl11)
@@ -7,6 +7,9 @@ LIBRARIES +=		openssl11
 .if exists(/usr/local/bin/eopenssl30)
 #LIBRARIES +=           openssl30
 .endif
+.if exists(/usr/local/bin/eopenssl31)
+#LIBRARIES +=           openssl31
+.endif
 run-session-client-libressl-server-libressl \
 run-session-client-libressl-server-openssl11 \
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
index c4f7705d63..bb4641afa9 100644
--- a/src/regress/lib/libssl/interop/version/Makefile
+++ b/src/regress/lib/libssl/interop/version/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.7 2023/07/02 17:21:32 beck Exp $
+# $OpenBSD: Makefile,v 1.8 2023/10/30 17:15:21 tb Exp $
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or openssl 3.0.  Pin client or server to a fixed TLS
@@ -13,6 +13,9 @@ LIBRARIES +=		openssl11
 .if exists(/usr/local/bin/eopenssl30)
 LIBRARIES +=            openssl30
 .endif
+.if exists(/usr/local/bin/eopenssl31)
+LIBRARIES +=            openssl31
+.endif
 VERSIONS =      any TLS1_2 TLS1_3
@@ -29,7 +32,8 @@ FAIL_${cver}_${sver} = !
 .for slib in ${LIBRARIES}
 .if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \
-    (("${clib}" != openssl30 && "${slib}" != openssl30) || \
+    ((("${clib}" != openssl30 && "${slib}" != openssl30) && \
+    ("${clib}" != openssl31 && "${slib}" != openssl31)) || \
    (("${cver}" != any && "${sver}" != any) && \
    ("${cver}" != TLS1 && "${sver}" != TLS1) && \
    ("${cver}" != TLS1_1 && "${sver}" != TLS1_1)))
author	tb <>	2023-10-30 17:15:21 +0000
committer	tb <>	2023-10-30 17:15:21 +0000
commit	bc08093d61a7c129c8e10c0201e9f3ab3167593f (patch)
tree	c5fce117c872d075f932d494bd786f9804e73c8c
parent	e961968230ef9656870099b75ce61f5a340c5b06 (diff)
download	openbsd-bc08093d61a7c129c8e10c0201e9f3ab3167593f.tar.gz openbsd-bc08093d61a7c129c8e10c0201e9f3ab3167593f.tar.bz2 openbsd-bc08093d61a7c129c8e10c0201e9f3ab3167593f.zip