diff options
author | tb <> | 2023-01-27 08:28:36 +0000 |
---|---|---|
committer | tb <> | 2023-01-27 08:28:36 +0000 |
commit | 6738561f9181a99b8aa084f27caeea50afddc836 (patch) | |
tree | 8c840e3c446da9e4d3e54e0fceea866197047f66 /src/regress/lib/libssl/interop/cipher | |
parent | 5eb039b0fc4e1e87f2b77fc8150abd2c9f9f518b (diff) | |
download | openbsd-6738561f9181a99b8aa084f27caeea50afddc836.tar.gz openbsd-6738561f9181a99b8aa084f27caeea50afddc836.tar.bz2 openbsd-6738561f9181a99b8aa084f27caeea50afddc836.zip |
Add openssl 3.0 interop tests
The plan is to retire the 1.0.2 interop tests soon so as to be able to
drop the dead and dangerous OpenSSL 1.0.2 port.
The cert part is extremely slow on arm64: the whole interop test on an m1
is about 10x slower (~45 min!) than on a modern amd64 laptop, so people
running regress may want to wait a bit with adding OpenSSL 3 to their test
boxes until this is sorted out.
Diffstat (limited to 'src/regress/lib/libssl/interop/cipher')
-rw-r--r-- | src/regress/lib/libssl/interop/cipher/Makefile | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile index bfe8cfea7a..46951f6782 100644 --- a/src/regress/lib/libssl/interop/cipher/Makefile +++ b/src/regress/lib/libssl/interop/cipher/Makefile | |||
@@ -1,7 +1,7 @@ | |||
1 | # $OpenBSD: Makefile,v 1.9 2022/02/05 18:34:06 tb Exp $ | 1 | # $OpenBSD: Makefile,v 1.10 2023/01/27 08:28:36 tb Exp $ |
2 | 2 | ||
3 | # Connect a client to a server. Both can be current libressl, or | 3 | # Connect a client to a server. Both can be current libressl, or |
4 | # openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers | 4 | # openssl 1.0.2, 1.1, or 3.0. Create lists of supported ciphers |
5 | # and pin client and server to one of the ciphers. Use server | 5 | # and pin client and server to one of the ciphers. Use server |
6 | # certificate with compatible type. Check that client and server | 6 | # certificate with compatible type. Check that client and server |
7 | # have used correct cipher by grepping in their session print out. | 7 | # have used correct cipher by grepping in their session print out. |
@@ -24,6 +24,9 @@ LIBRARIES += openssl | |||
24 | .if exists(/usr/local/bin/eopenssl11) | 24 | .if exists(/usr/local/bin/eopenssl11) |
25 | LIBRARIES += openssl11 | 25 | LIBRARIES += openssl11 |
26 | .endif | 26 | .endif |
27 | .if exists(/usr/local/bin/eopenssl30) | ||
28 | LIBRARIES += openssl30 | ||
29 | .endif | ||
27 | 30 | ||
28 | CLEANFILES = *.tmp *.ciphers ciphers.mk | 31 | CLEANFILES = *.tmp *.ciphers ciphers.mk |
29 | 32 | ||
@@ -52,8 +55,9 @@ client-${clib}-server-${slib}.ciphers: \ | |||
52 | uniq -d <$@.tmp >$@ | 55 | uniq -d <$@.tmp >$@ |
53 | # we are only interested in ciphers supported by libressl | 56 | # we are only interested in ciphers supported by libressl |
54 | sort $@ client-libressl.ciphers >$@.tmp | 57 | sort $@ client-libressl.ciphers >$@.tmp |
55 | . if "${clib}" == "openssl11" || "${slib}" == "openssl11" | 58 | . if "${clib}" == "openssl11" || "${slib}" == "openssl11" || \ |
56 | # OpenSSL 1.1's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers | 59 | "${clib}" == "openssl30" || "${slib}" == "openssl30" |
60 | # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers | ||
57 | sed -i '/^TLS_/d' $@.tmp | 61 | sed -i '/^TLS_/d' $@.tmp |
58 | . endif | 62 | . endif |
59 | uniq -d <$@.tmp >$@ | 63 | uniq -d <$@.tmp >$@ |
@@ -82,6 +86,7 @@ regress: ciphers.mk | |||
82 | LEVEL_libressl = | 86 | LEVEL_libressl = |
83 | LEVEL_openssl = | 87 | LEVEL_openssl = |
84 | LEVEL_openssl11 = ,@SECLEVEL=0 | 88 | LEVEL_openssl11 = ,@SECLEVEL=0 |
89 | LEVEL_openssl30 = ,@SECLEVEL=0 | ||
85 | 90 | ||
86 | .for clib in ${LIBRARIES} | 91 | .for clib in ${LIBRARIES} |
87 | .for slib in ${LIBRARIES} | 92 | .for slib in ${LIBRARIES} |
@@ -148,7 +153,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \ | |||
148 | . endif | 153 | . endif |
149 | . if "${clib}" == "libressl" | 154 | . if "${clib}" == "libressl" |
150 | # libressl client may prefer chacha-poly if aes-ni is not supported | 155 | # libressl client may prefer chacha-poly if aes-ni is not supported |
151 | . if "${slib}" == "openssl11" | 156 | . if "${slib}" == "openssl11" || "${slib}" == "openssl30" |
152 | egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out | 157 | egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out |
153 | . else | 158 | . else |
154 | egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out | 159 | egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out |