summaryrefslogtreecommitdiff
path: root/src/regress/lib/libssl/interop/cipher
diff options
context:
space:
mode:
authortb <>2023-01-27 08:28:36 +0000
committertb <>2023-01-27 08:28:36 +0000
commit6738561f9181a99b8aa084f27caeea50afddc836 (patch)
tree8c840e3c446da9e4d3e54e0fceea866197047f66 /src/regress/lib/libssl/interop/cipher
parent5eb039b0fc4e1e87f2b77fc8150abd2c9f9f518b (diff)
downloadopenbsd-6738561f9181a99b8aa084f27caeea50afddc836.tar.gz
openbsd-6738561f9181a99b8aa084f27caeea50afddc836.tar.bz2
openbsd-6738561f9181a99b8aa084f27caeea50afddc836.zip
Add openssl 3.0 interop tests
The plan is to retire the 1.0.2 interop tests soon so as to be able to drop the dead and dangerous OpenSSL 1.0.2 port. The cert part is extremely slow on arm64: the whole interop test on an m1 is about 10x slower (~45 min!) than on a modern amd64 laptop, so people running regress may want to wait a bit with adding OpenSSL 3 to their test boxes until this is sorted out.
Diffstat (limited to 'src/regress/lib/libssl/interop/cipher')
-rw-r--r--src/regress/lib/libssl/interop/cipher/Makefile15
1 files changed, 10 insertions, 5 deletions
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
index bfe8cfea7a..46951f6782 100644
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -1,7 +1,7 @@
1# $OpenBSD: Makefile,v 1.9 2022/02/05 18:34:06 tb Exp $ 1# $OpenBSD: Makefile,v 1.10 2023/01/27 08:28:36 tb Exp $
2 2
3# Connect a client to a server. Both can be current libressl, or 3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers 4# openssl 1.0.2, 1.1, or 3.0. Create lists of supported ciphers
5# and pin client and server to one of the ciphers. Use server 5# and pin client and server to one of the ciphers. Use server
6# certificate with compatible type. Check that client and server 6# certificate with compatible type. Check that client and server
7# have used correct cipher by grepping in their session print out. 7# have used correct cipher by grepping in their session print out.
@@ -24,6 +24,9 @@ LIBRARIES += openssl
24.if exists(/usr/local/bin/eopenssl11) 24.if exists(/usr/local/bin/eopenssl11)
25LIBRARIES += openssl11 25LIBRARIES += openssl11
26.endif 26.endif
27.if exists(/usr/local/bin/eopenssl30)
28LIBRARIES += openssl30
29.endif
27 30
28CLEANFILES = *.tmp *.ciphers ciphers.mk 31CLEANFILES = *.tmp *.ciphers ciphers.mk
29 32
@@ -52,8 +55,9 @@ client-${clib}-server-${slib}.ciphers: \
52 uniq -d <$@.tmp >$@ 55 uniq -d <$@.tmp >$@
53 # we are only interested in ciphers supported by libressl 56 # we are only interested in ciphers supported by libressl
54 sort $@ client-libressl.ciphers >$@.tmp 57 sort $@ client-libressl.ciphers >$@.tmp
55. if "${clib}" == "openssl11" || "${slib}" == "openssl11" 58. if "${clib}" == "openssl11" || "${slib}" == "openssl11" || \
56 # OpenSSL 1.1's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers 59 "${clib}" == "openssl30" || "${slib}" == "openssl30"
60 # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
57 sed -i '/^TLS_/d' $@.tmp 61 sed -i '/^TLS_/d' $@.tmp
58. endif 62. endif
59 uniq -d <$@.tmp >$@ 63 uniq -d <$@.tmp >$@
@@ -82,6 +86,7 @@ regress: ciphers.mk
82LEVEL_libressl = 86LEVEL_libressl =
83LEVEL_openssl = 87LEVEL_openssl =
84LEVEL_openssl11 = ,@SECLEVEL=0 88LEVEL_openssl11 = ,@SECLEVEL=0
89LEVEL_openssl30 = ,@SECLEVEL=0
85 90
86.for clib in ${LIBRARIES} 91.for clib in ${LIBRARIES}
87.for slib in ${LIBRARIES} 92.for slib in ${LIBRARIES}
@@ -148,7 +153,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \
148. endif 153. endif
149. if "${clib}" == "libressl" 154. if "${clib}" == "libressl"
150 # libressl client may prefer chacha-poly if aes-ni is not supported 155 # libressl client may prefer chacha-poly if aes-ni is not supported
151. if "${slib}" == "openssl11" 156. if "${slib}" == "openssl11" || "${slib}" == "openssl30"
152 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out 157 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
153. else 158. else
154 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out 159 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out