Connect a client to a server. Both can be current libressl, or

openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS version number. Incompatible versions must fail. Check that client and server have used correct version by grepping in their session print out.
author: bluhm <> 2020-09-14 00:51:04 +0000
committer: bluhm <> 2020-09-14 00:51:04 +0000
commit: de3c5baf1f0309bd56938c276ecea61df1e4b2b5 (patch)
tree: d7a87e6235bf9551c9bbb049af338dbb6ca080e8
parent: 7e6ac45008128aea17a084b0274f94a64f355826 (diff)
download: openbsd-de3c5baf1f0309bd56938c276ecea61df1e4b2b5.tar.gz
openbsd-de3c5baf1f0309bd56938c276ecea61df1e4b2b5.tar.bz2
openbsd-de3c5baf1f0309bd56938c276ecea61df1e4b2b5.zip
5 files changed, 193 insertions, 10 deletions
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
index 5ad9041276..cf06d8c022 100644
--- a/src/regress/lib/libssl/interop/Makefile
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,10 +1,11 @@
-# $OpenBSD: Makefile,v 1.10 2020/09/11 22:48:00 bluhm Exp $
+# $OpenBSD: Makefile,v 1.11 2020/09/14 00:51:04 bluhm Exp $
 SUBDIR =        libressl openssl openssl11
 # the above binaries must have been built before we can continue
 SUBDIR +=       cert
 SUBDIR +=       cipher
+SUBDIR +=       version
 SUBDIR +=       netcat
 SUBDIR +=       session
diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c
index 6a85e35c92..a8e66c2876 100644
--- a/src/regress/lib/libssl/interop/client.c
+++ b/src/regress/lib/libssl/interop/client.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: client.c,v 1.9 2020/09/11 22:48:00 bluhm Exp $        */
+/*      $OpenBSD: client.c,v 1.10 2020/09/14 00:51:04 bluhm Exp $       */
 /*
 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
 *
@@ -35,7 +35,7 @@ void __dead
 usage(void)
 {
        fprintf(stderr, "usage: client [-Lsv] [-C CA] [-c crt -k key] "
-            "[-l ciphers] host port\n");
+            "[-l ciphers] [-V version] host port\n");
        exit(2);
 }
@@ -48,11 +48,12 @@ main(int argc, char *argv[])
        BIO *bio;
        SSL_SESSION *session = NULL;
        int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
+        int version = 0;
        char buf[256];
        char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
        char *host_port, *host = "127.0.0.1", *port = "0";
-        while ((ch = getopt(argc, argv, "C:c:k:Ll:sv")) != -1) {
+        while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) {
                switch (ch) {
                case 'C':
                        ca = optarg;
@@ -73,6 +74,21 @@ main(int argc, char *argv[])
                        /* multiple reueses are possible */
                        sessionreuse++;
                        break;
+                case 'V':
+                        if (strcmp(optarg, "TLS1") == 0) {
+                                version = TLS1_VERSION;
+                        } else if (strcmp(optarg, "TLS1_1") == 0) {
+                                version = TLS1_1_VERSION;
+                        } else if (strcmp(optarg, "TLS1_2") == 0) {
+                                version = TLS1_2_VERSION;
+#ifdef TLS1_3_VERSION
+                        } else if (strcmp(optarg, "TLS1_3") == 0) {
+                                version = TLS1_3_VERSION;
+#endif
+                        } else {
+                                errx(1, "unknown protocol version: %s", optarg);
+                        }
+                        break;
                case 'v':
                        verify = 1;
                        break;
@@ -104,7 +120,24 @@ main(int argc, char *argv[])
        if (method == NULL)
                err_ssl(1, "TLS_client_method");
 #else
-        method = SSLv23_client_method();
+        switch (version) {
+        case TLS1_VERSION:
+                method = TLSv1_client_method();
+                break;
+        case TLS1_1_VERSION:
+                method = TLSv1_1_client_method();
+                break;
+        case TLS1_2_VERSION:
+                method = TLSv1_2_client_method();
+                break;
+#ifdef TLS1_3_VERSION
+        case TLS1_3_VERSION:
+                err(1, "TLS1_3 not supported");
+#endif
+        default:
+                method = SSLv23_client_method();
+                break;
+        }
        if (method == NULL)
                err_ssl(1, "SSLv23_client_method");
 #endif
@@ -112,6 +145,15 @@ main(int argc, char *argv[])
        if (ctx == NULL)
                err_ssl(1, "SSL_CTX_new");
+#if OPENSSL_VERSION_NUMBER >= 0x1010000f
+        if (version) {
+                if (SSL_CTX_set_min_proto_version(ctx, version) != 1)
+                        err_ssl(1, "SSL_CTX_set_min_proto_version");
+                if (SSL_CTX_set_max_proto_version(ctx, version) != 1)
+                        err_ssl(1, "SSL_CTX_set_max_proto_version");
+        }
+#endif
        /* load client certificate */
        if (crt != NULL) {
                if (SSL_CTX_use_certificate_file(ctx, crt,
diff --git a/src/regress/lib/libssl/interop/libressl/Makefile b/src/regress/lib/libssl/interop/libressl/Makefile
index 16ec8cf086..d19e6eb306 100644
--- a/src/regress/lib/libssl/interop/libressl/Makefile
+++ b/src/regress/lib/libssl/interop/libressl/Makefile
@@ -1,6 +1,7 @@
-# $OpenBSD: Makefile,v 1.6 2020/05/11 18:20:24 jsing Exp $
+# $OpenBSD: Makefile,v 1.7 2020/09/14 00:51:04 bluhm Exp $
 PROGS =                 client server
+CFLAGS =                -DLIBRESSL_HAS_TLS1_3
 CPPFLAGS =
 LDFLAGS =
 LDADD =                 -lssl -lcrypto
diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c
index 6723817498..4b9dd0f506 100644
--- a/src/regress/lib/libssl/interop/server.c
+++ b/src/regress/lib/libssl/interop/server.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: server.c,v 1.8 2019/03/21 17:52:26 bluhm Exp $        */
+/*      $OpenBSD: server.c,v 1.9 2020/09/14 00:51:04 bluhm Exp $        */
 /*
 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
 *
@@ -36,7 +36,7 @@ void __dead
 usage(void)
 {
        fprintf(stderr, "usage: server [-Lsvv] [-C CA] [-c crt -k key] "
-            "[-l ciphers] [-p dhparam] [host port]\n");
+            "[-l ciphers] [-p dhparam] [-V version] [host port]\n");
        exit(2);
 }
@@ -49,11 +49,12 @@ main(int argc, char *argv[])
        BIO *abio, *cbio;
        SSL_SESSION *session;
        int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
+        int version = 0;
        char buf[256], *dhparam = NULL;
        char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
        char *host_port, *host = "127.0.0.1", *port = "0";
-        while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sv")) != -1) {
+        while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) {
                switch (ch) {
                case 'C':
                        ca = optarg;
@@ -77,6 +78,21 @@ main(int argc, char *argv[])
                        /* multiple reueses are possible */
                        sessionreuse++;
                        break;
+                case 'V':
+                        if (strcmp(optarg, "TLS1") == 0) {
+                                version = TLS1_VERSION;
+                        } else if (strcmp(optarg, "TLS1_1") == 0) {
+                                version = TLS1_1_VERSION;
+                        } else if (strcmp(optarg, "TLS1_2") == 0) {
+                                version = TLS1_2_VERSION;
+#ifdef TLS1_3_VERSION
+                        } else if (strcmp(optarg, "TLS1_3") == 0) {
+                                version = TLS1_3_VERSION;
+#endif
+                        } else {
+                                errx(1, "unknown protocol version: %s", optarg);
+                        }
+                        break;
                case 'v':
                        /* use twice to force client cert */
                        verify++;
@@ -113,7 +129,24 @@ main(int argc, char *argv[])
        if (method == NULL)
                err_ssl(1, "TLS_server_method");
 #else
-        method = SSLv23_server_method();
+        switch (version) {
+        case TLS1_VERSION:
+                method = TLSv1_server_method();
+                break;
+        case TLS1_1_VERSION:
+                method = TLSv1_1_server_method();
+                break;
+        case TLS1_2_VERSION:
+                method = TLSv1_2_server_method();
+                break;
+#ifdef TLS1_3_VERSION
+        case TLS1_3_VERSION:
+                err(1, "TLS1_3 not supported");
+#endif
+        default:
+                method = SSLv23_server_method();
+                break;
+        }
        if (method == NULL)
                err_ssl(1, "SSLv23_server_method");
 #endif
@@ -121,6 +154,15 @@ main(int argc, char *argv[])
        if (ctx == NULL)
                err_ssl(1, "SSL_CTX_new");
+#if OPENSSL_VERSION_NUMBER >= 0x1010000f
+        if (version) {
+                if (SSL_CTX_set_min_proto_version(ctx, version) != 1)
+                        err_ssl(1, "SSL_CTX_set_min_proto_version");
+                if (SSL_CTX_set_max_proto_version(ctx, version) != 1)
+                        err_ssl(1, "SSL_CTX_set_max_proto_version");
+        }
+#endif
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
        /* needed to use DHE cipher with libressl */
        if (SSL_CTX_set_dh_auto(ctx, 1) <= 0)
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
new file mode 100644
index 0000000000..0f1d891f34
--- /dev/null
+++ b/src/regress/lib/libssl/interop/version/Makefile
@@ -0,0 +1,97 @@
+# $OpenBSD: Makefile,v 1.1 2020/09/14 00:51:04 bluhm Exp $
+# Connect a client to a server.  Both can be current libressl, or
+# openssl 1.0.2, or openssl 1.1.  Pin client or server to a fixed TLS
+# version number.  Incompatible versions must fail.  Check that client 
+# and server have used correct version by grepping in their session
+# print out.
+LIBRARIES =             libressl
+.if exists(/usr/local/bin/eopenssl)
+LIBRARIES +=            openssl
+.endif
+.if exists(/usr/local/bin/eopenssl11)
+LIBRARIES +=            openssl11
+.endif
+VERSIONS =      any TLS1 TLS1_1 TLS1_2 TLS1_3
+.for cver in ${VERSIONS}
+.for sver in ${VERSIONS}
+.if "${cver}" == any || "${sver}" == any || "${cver}" == "${sver}"
+FAIL_${cver}_${sver} =
+.else
+FAIL_${cver}_${sver} = !
+.endif
+.for clib in ${LIBRARIES}
+.for slib in ${LIBRARIES}
+.if ("${clib}" != openssl && "${slib}" != openssl) || \
+    ("${cver}" != TLS1_3 && "${sver}" != TLS1_3)
+REGRESS_TARGETS +=      run-version-client-${clib}-${cver}-server-${slib}-${sver}
+run-version-client-${clib}-${cver}-server-${slib}-${sver} \
+client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \
+server-version-client-${clib}-${cver}-server-${slib}-${sver}.out: \
+    127.0.0.1.crt ../${clib}/client ../${slib}/server
+        @echo '\n======== $@ ========'
+        LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
+            ../${slib}/server >${@:S/^run/server/}.out \
+            -c 127.0.0.1.crt -k 127.0.0.1.key \
+            ${sver:Nany:S/^/-V /} \
+            127.0.0.1 0
+        ${FAIL_${cver}_${sver}} \
+        LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
+            ../${clib}/client >${@:S/^run/client/}.out \
+            ${cver:Nany:S/^/-V /} \
+            `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
+.if empty(${FAIL_${cver}_${sver}})
+        grep -q '^success$$' ${@:S/^run/server/}.out || \
+            { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
+        grep -q '^success$$' ${@:S/^run/client/}.out
+.endif
+.if empty(${FAIL_${cver}_${sver}})
+REGRESS_TARGETS +=      check-version-client-${clib}-${cver}-server-${slib}-${sver}
+check-version-client-${clib}-${cver}-server-${slib}-${sver}: \
+    client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \
+    server-version-client-${clib}-${cver}-server-${slib}-${sver}.out
+        @echo '\n======== $@ ========'
+        @grep ' Protocol *: ' ${@:S/^check/client/}.out
+        @grep ' Protocol *: ' ${@:S/^check/server/}.out
+.if "${cver}" == any
+.if "${sver}" == any
+.if "${clib}" == openssl || "${slib}" == openssl
+        grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/client/}.out
+        grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/server/}.out
+.else
+        grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out
+        grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out
+.endif
+.else
+        grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
+            ${@:S/^check/client/}.out
+        grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
+            ${@:S/^check/server/}.out
+.endif
+.else
+        grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \
+            ${@:S/^check/client/}.out
+        grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \
+            ${@:S/^check/server/}.out
+.endif
+.endif
+.endif
+.endfor
+.endfor
+.endfor
+.endfor
+.include <bsd.regress.mk>
author	bluhm <>	2020-09-14 00:51:04 +0000
committer	bluhm <>	2020-09-14 00:51:04 +0000
commit	de3c5baf1f0309bd56938c276ecea61df1e4b2b5 (patch)
tree	d7a87e6235bf9551c9bbb049af338dbb6ca080e8
parent	7e6ac45008128aea17a084b0274f94a64f355826 (diff)
download	openbsd-de3c5baf1f0309bd56938c276ecea61df1e4b2b5.tar.gz openbsd-de3c5baf1f0309bd56938c276ecea61df1e4b2b5.tar.bz2 openbsd-de3c5baf1f0309bd56938c276ecea61df1e4b2b5.zip

diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile index 5ad9041276..cf06d8c022 100644 --- a/src/regress/lib/libssl/interop/Makefile +++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,10 +1,11 @@
1	# $OpenBSD: Makefile,v 1.10 2020/09/11 22:48:00 bluhm Exp $	1	# $OpenBSD: Makefile,v 1.11 2020/09/14 00:51:04 bluhm Exp $
2		2
3	SUBDIR = libressl openssl openssl11	3	SUBDIR = libressl openssl openssl11
4		4
5	# the above binaries must have been built before we can continue	5	# the above binaries must have been built before we can continue
6	SUBDIR += cert	6	SUBDIR += cert
7	SUBDIR += cipher	7	SUBDIR += cipher
		8	SUBDIR += version
8	SUBDIR += netcat	9	SUBDIR += netcat
9	SUBDIR += session	10	SUBDIR += session
10		11


diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c index 6a85e35c92..a8e66c2876 100644 --- a/src/regress/lib/libssl/interop/client.c +++ b/src/regress/lib/libssl/interop/client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: client.c,v 1.9 2020/09/11 22:48:00 bluhm Exp $ */	1	/* $OpenBSD: client.c,v 1.10 2020/09/14 00:51:04 bluhm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>	3	* Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4	*	4	*
@@ -35,7 +35,7 @@ void __dead
35	usage(void)	35	usage(void)
36	{	36	{
37	fprintf(stderr, "usage: client [-Lsv] [-C CA] [-c crt -k key] "	37	fprintf(stderr, "usage: client [-Lsv] [-C CA] [-c crt -k key] "
38	"[-l ciphers] host port\n");	38	"[-l ciphers] [-V version] host port\n");
39	exit(2);	39	exit(2);
40	}	40	}
41		41
@@ -48,11 +48,12 @@ main(int argc, char *argv[])
48	BIO *bio;	48	BIO *bio;
49	SSL_SESSION *session = NULL;	49	SSL_SESSION *session = NULL;
50	int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;	50	int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
		51	int version = 0;
51	char buf[256];	52	char buf[256];
52	char ca = NULL, crt = NULL, key = NULL, ciphers = NULL;	53	char ca = NULL, crt = NULL, key = NULL, ciphers = NULL;
53	char host_port, host = "127.0.0.1", *port = "0";	54	char host_port, host = "127.0.0.1", *port = "0";
54		55
55	while ((ch = getopt(argc, argv, "C:c:k:Ll:sv")) != -1) {	56	while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) {
56	switch (ch) {	57	switch (ch) {
57	case 'C':	58	case 'C':
58	ca = optarg;	59	ca = optarg;
@@ -73,6 +74,21 @@ main(int argc, char *argv[])
73	/* multiple reueses are possible */	74	/* multiple reueses are possible */
74	sessionreuse++;	75	sessionreuse++;
75	break;	76	break;
		77	case 'V':
		78	if (strcmp(optarg, "TLS1") == 0) {
		79	version = TLS1_VERSION;
		80	} else if (strcmp(optarg, "TLS1_1") == 0) {
		81	version = TLS1_1_VERSION;
		82	} else if (strcmp(optarg, "TLS1_2") == 0) {
		83	version = TLS1_2_VERSION;
		84	#ifdef TLS1_3_VERSION
		85	} else if (strcmp(optarg, "TLS1_3") == 0) {
		86	version = TLS1_3_VERSION;
		87	#endif
		88	} else {
		89	errx(1, "unknown protocol version: %s", optarg);
		90	}
		91	break;
76	case 'v':	92	case 'v':
77	verify = 1;	93	verify = 1;
78	break;	94	break;
@@ -104,7 +120,24 @@ main(int argc, char *argv[])
104	if (method == NULL)	120	if (method == NULL)
105	err_ssl(1, "TLS_client_method");	121	err_ssl(1, "TLS_client_method");
106	#else	122	#else
107	method = SSLv23_client_method();	123	switch (version) {
		124	case TLS1_VERSION:
		125	method = TLSv1_client_method();
		126	break;
		127	case TLS1_1_VERSION:
		128	method = TLSv1_1_client_method();
		129	break;
		130	case TLS1_2_VERSION:
		131	method = TLSv1_2_client_method();
		132	break;
		133	#ifdef TLS1_3_VERSION
		134	case TLS1_3_VERSION:
		135	err(1, "TLS1_3 not supported");
		136	#endif
		137	default:
		138	method = SSLv23_client_method();
		139	break;
		140	}
108	if (method == NULL)	141	if (method == NULL)
109	err_ssl(1, "SSLv23_client_method");	142	err_ssl(1, "SSLv23_client_method");
110	#endif	143	#endif
@@ -112,6 +145,15 @@ main(int argc, char *argv[])
112	if (ctx == NULL)	145	if (ctx == NULL)
113	err_ssl(1, "SSL_CTX_new");	146	err_ssl(1, "SSL_CTX_new");
114		147
		148	#if OPENSSL_VERSION_NUMBER >= 0x1010000f
		149	if (version) {
		150	if (SSL_CTX_set_min_proto_version(ctx, version) != 1)
		151	err_ssl(1, "SSL_CTX_set_min_proto_version");
		152	if (SSL_CTX_set_max_proto_version(ctx, version) != 1)
		153	err_ssl(1, "SSL_CTX_set_max_proto_version");
		154	}
		155	#endif
		156
115	/* load client certificate */	157	/* load client certificate */
116	if (crt != NULL) {	158	if (crt != NULL) {
117	if (SSL_CTX_use_certificate_file(ctx, crt,	159	if (SSL_CTX_use_certificate_file(ctx, crt,


diff --git a/src/regress/lib/libssl/interop/libressl/Makefile b/src/regress/lib/libssl/interop/libressl/Makefile index 16ec8cf086..d19e6eb306 100644 --- a/src/regress/lib/libssl/interop/libressl/Makefile +++ b/src/regress/lib/libssl/interop/libressl/Makefile
@@ -1,6 +1,7 @@
1	# $OpenBSD: Makefile,v 1.6 2020/05/11 18:20:24 jsing Exp $	1	# $OpenBSD: Makefile,v 1.7 2020/09/14 00:51:04 bluhm Exp $
2		2
3	PROGS = client server	3	PROGS = client server
		4	CFLAGS = -DLIBRESSL_HAS_TLS1_3
4	CPPFLAGS =	5	CPPFLAGS =
5	LDFLAGS =	6	LDFLAGS =
6	LDADD = -lssl -lcrypto	7	LDADD = -lssl -lcrypto


diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c index 6723817498..4b9dd0f506 100644 --- a/src/regress/lib/libssl/interop/server.c +++ b/src/regress/lib/libssl/interop/server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: server.c,v 1.8 2019/03/21 17:52:26 bluhm Exp $ */	1	/* $OpenBSD: server.c,v 1.9 2020/09/14 00:51:04 bluhm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>	3	* Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4	*	4	*
@@ -36,7 +36,7 @@ void __dead
36	usage(void)	36	usage(void)
37	{	37	{
38	fprintf(stderr, "usage: server [-Lsvv] [-C CA] [-c crt -k key] "	38	fprintf(stderr, "usage: server [-Lsvv] [-C CA] [-c crt -k key] "
39	"[-l ciphers] [-p dhparam] [host port]\n");	39	"[-l ciphers] [-p dhparam] [-V version] [host port]\n");
40	exit(2);	40	exit(2);
41	}	41	}
42		42
@@ -49,11 +49,12 @@ main(int argc, char *argv[])
49	BIO abio, cbio;	49	BIO abio, cbio;
50	SSL_SESSION *session;	50	SSL_SESSION *session;
51	int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;	51	int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
		52	int version = 0;
52	char buf[256], *dhparam = NULL;	53	char buf[256], *dhparam = NULL;
53	char ca = NULL, crt = NULL, key = NULL, ciphers = NULL;	54	char ca = NULL, crt = NULL, key = NULL, ciphers = NULL;
54	char host_port, host = "127.0.0.1", *port = "0";	55	char host_port, host = "127.0.0.1", *port = "0";
55		56
56	while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sv")) != -1) {	57	while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) {
57	switch (ch) {	58	switch (ch) {
58	case 'C':	59	case 'C':
59	ca = optarg;	60	ca = optarg;
@@ -77,6 +78,21 @@ main(int argc, char *argv[])
77	/* multiple reueses are possible */	78	/* multiple reueses are possible */
78	sessionreuse++;	79	sessionreuse++;
79	break;	80	break;
		81	case 'V':
		82	if (strcmp(optarg, "TLS1") == 0) {
		83	version = TLS1_VERSION;
		84	} else if (strcmp(optarg, "TLS1_1") == 0) {
		85	version = TLS1_1_VERSION;
		86	} else if (strcmp(optarg, "TLS1_2") == 0) {
		87	version = TLS1_2_VERSION;
		88	#ifdef TLS1_3_VERSION
		89	} else if (strcmp(optarg, "TLS1_3") == 0) {
		90	version = TLS1_3_VERSION;
		91	#endif
		92	} else {
		93	errx(1, "unknown protocol version: %s", optarg);
		94	}
		95	break;
80	case 'v':	96	case 'v':
81	/* use twice to force client cert */	97	/* use twice to force client cert */
82	verify++;	98	verify++;
@@ -113,7 +129,24 @@ main(int argc, char *argv[])
113	if (method == NULL)	129	if (method == NULL)
114	err_ssl(1, "TLS_server_method");	130	err_ssl(1, "TLS_server_method");
115	#else	131	#else
116	method = SSLv23_server_method();	132	switch (version) {
		133	case TLS1_VERSION:
		134	method = TLSv1_server_method();
		135	break;
		136	case TLS1_1_VERSION:
		137	method = TLSv1_1_server_method();
		138	break;
		139	case TLS1_2_VERSION:
		140	method = TLSv1_2_server_method();
		141	break;
		142	#ifdef TLS1_3_VERSION
		143	case TLS1_3_VERSION:
		144	err(1, "TLS1_3 not supported");
		145	#endif
		146	default:
		147	method = SSLv23_server_method();
		148	break;
		149	}
117	if (method == NULL)	150	if (method == NULL)
118	err_ssl(1, "SSLv23_server_method");	151	err_ssl(1, "SSLv23_server_method");
119	#endif	152	#endif
@@ -121,6 +154,15 @@ main(int argc, char *argv[])
121	if (ctx == NULL)	154	if (ctx == NULL)
122	err_ssl(1, "SSL_CTX_new");	155	err_ssl(1, "SSL_CTX_new");
123		156
		157	#if OPENSSL_VERSION_NUMBER >= 0x1010000f
		158	if (version) {
		159	if (SSL_CTX_set_min_proto_version(ctx, version) != 1)
		160	err_ssl(1, "SSL_CTX_set_min_proto_version");
		161	if (SSL_CTX_set_max_proto_version(ctx, version) != 1)
		162	err_ssl(1, "SSL_CTX_set_max_proto_version");
		163	}
		164	#endif
		165
124	#if OPENSSL_VERSION_NUMBER >= 0x10100000	166	#if OPENSSL_VERSION_NUMBER >= 0x10100000
125	/* needed to use DHE cipher with libressl */	167	/* needed to use DHE cipher with libressl */
126	if (SSL_CTX_set_dh_auto(ctx, 1) <= 0)	168	if (SSL_CTX_set_dh_auto(ctx, 1) <= 0)


diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile new file mode 100644 index 0000000000..0f1d891f34 --- /dev/null +++ b/src/regress/lib/libssl/interop/version/Makefile
@@ -0,0 +1,97 @@
		1	# $OpenBSD: Makefile,v 1.1 2020/09/14 00:51:04 bluhm Exp $
		2
		3	# Connect a client to a server. Both can be current libressl, or
		4	# openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS
		5	# version number. Incompatible versions must fail. Check that client
		6	# and server have used correct version by grepping in their session
		7	# print out.
		8
		9	LIBRARIES = libressl
		10	.if exists(/usr/local/bin/eopenssl)
		11	LIBRARIES += openssl
		12	.endif
		13	.if exists(/usr/local/bin/eopenssl11)
		14	LIBRARIES += openssl11
		15	.endif
		16
		17	VERSIONS = any TLS1 TLS1_1 TLS1_2 TLS1_3
		18
		19	.for cver in ${VERSIONS}
		20	.for sver in ${VERSIONS}
		21
		22	.if "${cver}" == any \|\| "${sver}" == any \|\| "${cver}" == "${sver}"
		23	FAIL_${cver}_${sver} =
		24	.else
		25	FAIL_${cver}_${sver} = !
		26	.endif
		27
		28	.for clib in ${LIBRARIES}
		29	.for slib in ${LIBRARIES}
		30
		31	.if ("${clib}" != openssl && "${slib}" != openssl) \|\| \
		32	("${cver}" != TLS1_3 && "${sver}" != TLS1_3)
		33
		34	REGRESS_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver}
		35
		36	run-version-client-${clib}-${cver}-server-${slib}-${sver} \
		37	client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \
		38	server-version-client-${clib}-${cver}-server-${slib}-${sver}.out: \
		39	127.0.0.1.crt ../${clib}/client ../${slib}/server
		40	@echo '\n======== $@ ========'
		41	LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
		42	../${slib}/server >${@:S/^run/server/}.out \
		43	-c 127.0.0.1.crt -k 127.0.0.1.key \
		44	${sver:Nany:S/^/-V /} \
		45	127.0.0.1 0
		46	${FAIL_${cver}_${sver}} \
		47	LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
		48	../${clib}/client >${@:S/^run/client/}.out \
		49	${cver:Nany:S/^/-V /} \
		50	`sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
		51	.if empty(${FAIL_${cver}_${sver}})
		52	grep -q '^success$$' ${@:S/^run/server/}.out \|\| \
		53	{ sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
		54	grep -q '^success$$' ${@:S/^run/client/}.out
		55	.endif
		56
		57	.if empty(${FAIL_${cver}_${sver}})
		58
		59	REGRESS_TARGETS += check-version-client-${clib}-${cver}-server-${slib}-${sver}
		60
		61	check-version-client-${clib}-${cver}-server-${slib}-${sver}: \
		62	client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \
		63	server-version-client-${clib}-${cver}-server-${slib}-${sver}.out
		64	@echo '\n======== $@ ========'
		65	@grep ' Protocol *: ' ${@:S/^check/client/}.out
		66	@grep ' Protocol *: ' ${@:S/^check/server/}.out
		67	.if "${cver}" == any
		68	.if "${sver}" == any
		69	.if "${clib}" == openssl \|\| "${slib}" == openssl
		70	grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/client/}.out
		71	grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/server/}.out
		72	.else
		73	grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out
		74	grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out
		75	.endif
		76	.else
		77	grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
		78	${@:S/^check/client/}.out
		79	grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
		80	${@:S/^check/server/}.out
		81	.endif
		82	.else
		83	grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \
		84	${@:S/^check/client/}.out
		85	grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \
		86	${@:S/^check/server/}.out
		87	.endif
		88	.endif
		89
		90	.endif
		91
		92	.endfor
		93	.endfor
		94	.endfor
		95	.endfor
		96
		97	.include <bsd.regress.mk>