summaryrefslogtreecommitdiff
path: root/src/regress/lib/libssl/interop
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2021-08-30 17:27:46 +0000
committercvs2svn <admin@example.com>2021-08-30 17:27:46 +0000
commit4e4f5b4c833ba5285e001bdb6b832bdf91c43da3 (patch)
treeab301f051b9dd067fa28b0fe56806a2893b8161e /src/regress/lib/libssl/interop
parent20a5de624e2e817be526407f2b8de078016ee258 (diff)
downloadopenbsd-tb_20210830.tar.gz
openbsd-tb_20210830.tar.bz2
openbsd-tb_20210830.zip
This commit was manufactured by cvs2git to create tag 'tb_20210830'.tb_20210830
Diffstat (limited to 'src/regress/lib/libssl/interop')
-rw-r--r--src/regress/lib/libssl/interop/LICENSE15
-rw-r--r--src/regress/lib/libssl/interop/Makefile19
-rw-r--r--src/regress/lib/libssl/interop/Makefile.inc90
-rw-r--r--src/regress/lib/libssl/interop/README22
-rw-r--r--src/regress/lib/libssl/interop/botan/Makefile82
-rw-r--r--src/regress/lib/libssl/interop/botan/client.cpp228
-rw-r--r--src/regress/lib/libssl/interop/cert/Makefile87
-rw-r--r--src/regress/lib/libssl/interop/cipher/Makefile170
-rw-r--r--src/regress/lib/libssl/interop/client.c273
-rw-r--r--src/regress/lib/libssl/interop/libressl/Makefile34
-rw-r--r--src/regress/lib/libssl/interop/netcat/Makefile84
-rw-r--r--src/regress/lib/libssl/interop/openssl/Makefile42
-rw-r--r--src/regress/lib/libssl/interop/openssl11/Makefile42
-rw-r--r--src/regress/lib/libssl/interop/server.c320
-rw-r--r--src/regress/lib/libssl/interop/session/Makefile46
-rw-r--r--src/regress/lib/libssl/interop/util.c145
-rw-r--r--src/regress/lib/libssl/interop/util.h23
-rw-r--r--src/regress/lib/libssl/interop/version/Makefile103
18 files changed, 0 insertions, 1825 deletions
diff --git a/src/regress/lib/libssl/interop/LICENSE b/src/regress/lib/libssl/interop/LICENSE
deleted file mode 100644
index 838e7f45cc..0000000000
--- a/src/regress/lib/libssl/interop/LICENSE
+++ /dev/null
@@ -1,15 +0,0 @@
1/*
2 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
deleted file mode 100644
index aa9c3adf56..0000000000
--- a/src/regress/lib/libssl/interop/Makefile
+++ /dev/null
@@ -1,19 +0,0 @@
1# $OpenBSD: Makefile,v 1.13 2020/09/21 15:13:24 beck Exp $
2
3SUBDIR = libressl openssl openssl11
4
5# the above binaries must have been built before we can continue
6SUBDIR += netcat
7SUBDIR += session
8SUBDIR += botan
9
10# What is below takes a long time.
11# setting REGRESS_SKIP_SLOW to "yes" in mk.conf
12# will skip the tests that do not test libressl
13# but do things like test openssl to openssl11
14SUBDIR += version
15SUBDIR += cipher
16# This takes a really long time.
17SUBDIR += cert
18
19.include <bsd.subdir.mk>
diff --git a/src/regress/lib/libssl/interop/Makefile.inc b/src/regress/lib/libssl/interop/Makefile.inc
deleted file mode 100644
index ed5fe26147..0000000000
--- a/src/regress/lib/libssl/interop/Makefile.inc
+++ /dev/null
@@ -1,90 +0,0 @@
1# $OpenBSD: Makefile.inc,v 1.8 2020/12/17 00:51:11 bluhm Exp $
2
3.PATH: ${.CURDIR}/..
4
5SRCS_client ?= client.c util.c
6SRCS_server ?= server.c util.c
7WARNINGS = yes
8CLEANFILES += *.out *.fstat
9
10.for p in ${PROGS}
11ldd-$p.out: $p
12 # programs must be linked with correct libraries
13 LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ldd $p >$@
14.endfor
15
16client-self.out server-self.out: run-self-client-server
17
18run-self-client-server: client server 127.0.0.1.crt
19 # check that tls client and server work together
20 LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \
21 ./server >server-self.out \
22 127.0.0.1 0
23 LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \
24 ./client >client-self.out \
25 `sed -n 's/listen sock: //p' server-self.out`
26 # check that the client run successfully to the end
27 grep -q '^success$$' client-self.out
28 # client must have read server greeting
29 grep -q '^<<< greeting$$' client-self.out
30 # check that the server child run successfully to the end
31 grep -q '^success$$' server-self.out
32 # server must have read client hello
33 grep -q '^<<< hello$$' server-self.out
34
35# create certificates for TLS
36
37CLEANFILES += 127.0.0.1.{crt,key} \
38 ca.{crt,key,srl} fake-ca.{crt,key} \
39 {client,server}.{req,crt,key} \
40 {dsa,ec,gost,rsa}.{key,req,crt} \
41 dh.param
42
43127.0.0.1.crt:
44 openssl req -batch -new \
45 -subj /L=OpenBSD/O=tls-regress/OU=server/CN=${@:R}/ \
46 -nodes -newkey rsa -keyout ${@:R}.key -x509 -out $@
47
48ca.crt fake-ca.crt:
49 openssl req -batch -new \
50 -subj /L=OpenBSD/O=tls-regress/OU=ca/CN=root/ \
51 -nodes -newkey rsa -keyout ${@:R}.key -x509 -out $@
52
53client.req server.req:
54 openssl req -batch -new \
55 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
56 -nodes -newkey rsa -keyout ${@:R}.key -out $@
57
58client.crt server.crt: ca.crt ${@:R}.req
59 openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \
60 -req -in ${@:R}.req -out $@
61
62dh.param:
63 openssl dhparam -out $@ 1024
64
65dsa.key:
66 openssl dsaparam -genkey -out $@ 2048
67
68ec.key:
69 openssl ecparam -genkey -name secp256r1 -out $@
70
71gost.key:
72 openssl genpkey -algorithm gost2001 \
73 -pkeyopt paramset:A -pkeyopt dgst:md_gost94 -out $@
74
75rsa.key:
76 openssl genrsa -out $@ 2048
77
78dsa.req ec.req rsa.req: ${@:R}.key
79 openssl req -batch -new \
80 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
81 -nodes -key ${@:R}.key -out $@
82
83gost.req: ${@:R}.key
84 openssl req -batch -new -md_gost94 \
85 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
86 -nodes -key ${@:R}.key -out $@
87
88dsa.crt ec.crt gost.crt rsa.crt: ca.crt ${@:R}.req
89 openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \
90 -req -in ${@:R}.req -out $@
diff --git a/src/regress/lib/libssl/interop/README b/src/regress/lib/libssl/interop/README
deleted file mode 100644
index 54910e554d..0000000000
--- a/src/regress/lib/libssl/interop/README
+++ /dev/null
@@ -1,22 +0,0 @@
1Test TLS interoperability between LibreSSL and OpenSSL.
2
3Implement simple SSL client and server in C. Create six binaries
4by linking them with LibreSSL or OpenSSL 1.0.2 or OpenSSL 1.1. This
5way API compatibility is tested.
6
7To self test each SSL library, connect client with server. Check
8that the highest available TLS version is selected. LibreSSL TLS
91.3 check has to be enabled when the feature becomes available.
10
11Currently OpenSSL 1.0.2p and OpenSSL 1.1.1 from ports are used. As
12soon as LibreSSL supports TLS 1.3, it should be used automatically
13when netcat is communicating with OpenSSL 1.1.
14
15Connect and accept with netcat to test protocol compatibility with
16libtls. Test TLS session reuse multiple times with different library
17combinations. The cert subdir is testing all combinations of
18certificate validation. Having the three libraries, client and
19server certificates, missing or invalid CA or certificates, and
20enforcing peer certificate results in 1944 test cases. The cipher
21test establishes connections between implementations for each
22supported cipher.
diff --git a/src/regress/lib/libssl/interop/botan/Makefile b/src/regress/lib/libssl/interop/botan/Makefile
deleted file mode 100644
index a162ee9e17..0000000000
--- a/src/regress/lib/libssl/interop/botan/Makefile
+++ /dev/null
@@ -1,82 +0,0 @@
1# $OpenBSD: Makefile,v 1.4 2020/12/17 00:51:11 bluhm Exp $
2
3.include <bsd.own.mk>
4
5.if ! exists(/usr/local/bin/botan)
6regress:
7 # install botan2 from ports for interop tests
8 @echo SKIPPED
9.elif (${COMPILER_VERSION:L} != "clang" && ! exists(/usr/local/bin/eg++))
10regress:
11 # on gcc-archs install g++ from ports for botan2 interop tests
12 @echo SKIPPED
13.else
14
15# C++11
16.if ${COMPILER_VERSION:L} != "clang" && ${CXX} == "c++"
17CXX = /usr/local/bin/eg++
18.endif
19
20LIBRARIES = libressl
21.if exists(/usr/local/bin/eopenssl)
22LIBRARIES += openssl
23.endif
24.if exists(/usr/local/bin/eopenssl11)
25LIBRARIES += openssl11
26.endif
27
28PROGS = client
29SRCS_client = client.cpp
30CXXFLAGS = -I/usr/local/include/botan-2 -Wall
31LDFLAGS = -L/usr/local/lib
32LDADD = -lbotan-2
33DPADD = /usr/local/lib/libbotan-2.a
34
35.for lib in ${LIBRARIES}
36
37REGRESS_TARGETS += run-client-botan-server-${lib}
38
39run-client-botan-server-${lib}: client server.crt
40 LD_LIBRARY_PATH=/usr/local/lib/e${lib} \
41 ../${lib}/server >server-${lib}.out \
42 -c server.crt -k server.key \
43 127.0.0.1 0
44 ./client >client-botan.out \
45 -C ca.crt \
46 127.0.0.1 \
47 `sed -n 's/listen sock: 127.0.0.1 //p' server-${lib}.out`
48 # check that the server child run successfully to the end
49 grep -q '^success$$' server-${lib}.out || \
50 { sleep 1; grep -q '^success$$' server-${lib}.out; }
51 # server must have read client hello
52 grep -q '^<<< hello$$' server-${lib}.out
53 # check that the client run successfully to the end
54 grep -q '^success$$' client-botan.out
55 # client must have read server greeting
56 grep -q '^<<< greeting$$' client-botan.out
57 # currently botan supports TLS 1.2, adapt later
58 grep -q ' Protocol *: TLSv1.2$$' server-${lib}.out
59
60.endfor
61
62server.key ca.key:
63 /usr/local/bin/botan keygen >$@.tmp
64 mv $@.tmp $@
65
66ca.crt: ${@:R}.key
67 /usr/local/bin/botan gen_self_signed ${@:R}.key ${@:R} >$@.tmp \
68 --organization=tls-regress --ca
69 mv $@.tmp $@
70
71server.req: ${@:R}.key
72 /usr/local/bin/botan gen_pkcs10 ${@:R}.key localhost >$@.tmp \
73 --organization=tls-regress --dns=127.0.0.1
74 mv $@.tmp $@
75
76server.crt: ca.crt ${@:R}.req
77 /usr/local/bin/botan sign_cert ca.crt ca.key ${@:R}.req >$@.tmp
78 mv $@.tmp $@
79
80.endif # exists(/usr/local/bin/botan)
81
82.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/botan/client.cpp b/src/regress/lib/libssl/interop/botan/client.cpp
deleted file mode 100644
index 2352d7bba2..0000000000
--- a/src/regress/lib/libssl/interop/botan/client.cpp
+++ /dev/null
@@ -1,228 +0,0 @@
1/* $OpenBSD: client.cpp,v 1.1 2020/09/15 01:45:16 bluhm Exp $ */
2/*
3 * Copyright (c) 2019-2020 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <unistd.h>
24
25#include <botan/tls_client.h>
26#include <botan/tls_callbacks.h>
27#include <botan/tls_session_manager.h>
28#include <botan/tls_policy.h>
29#include <botan/auto_rng.h>
30#include <botan/certstor.h>
31
32#include <iostream>
33#include <string>
34using namespace std;
35
36class Callbacks : public Botan::TLS::Callbacks {
37public:
38 Callbacks(int socket) :
39 m_socket(socket)
40 {}
41
42 void print_sockname()
43 {
44 struct sockaddr_storage ss;
45 char host[NI_MAXHOST], port[NI_MAXSERV];
46 socklen_t slen;
47
48 slen = sizeof(ss);
49 if (getsockname(m_socket, (struct sockaddr *)&ss, &slen) == -1)
50 err(1, "getsockname");
51 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
52 sizeof(host), port, sizeof(port),
53 NI_NUMERICHOST | NI_NUMERICSERV))
54 errx(1, "getnameinfo");
55 cout <<"sock: " <<host <<" " <<port <<endl <<flush;
56 }
57
58 void print_peername()
59 {
60 struct sockaddr_storage ss;
61 char host[NI_MAXHOST], port[NI_MAXSERV];
62 socklen_t slen;
63
64 slen = sizeof(ss);
65 if (getpeername(m_socket, (struct sockaddr *)&ss, &slen) == -1)
66 err(1, "getpeername");
67 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
68 sizeof(host), port, sizeof(port),
69 NI_NUMERICHOST | NI_NUMERICSERV))
70 errx(1, "getnameinfo");
71 cout <<"peer: " <<host <<" " <<port <<endl <<flush;
72 }
73
74 void tls_emit_data(const uint8_t data[], size_t size) override
75 {
76 size_t off = 0, len = size;
77
78 while (len > 0) {
79 ssize_t n;
80
81 n = send(m_socket, data + off, len, 0);
82 if (n < 0)
83 err(1, "send");
84 off += n;
85 len -= n;
86 }
87 }
88
89 void tls_record_received(uint64_t seq_no, const uint8_t data[],
90 size_t size) override
91 {
92 cout <<"<<< " <<string((const char *)data, size) <<flush;
93
94 string str("hello\n");
95 cout <<">>> " <<str <<flush;
96 m_channel->send(str);
97 m_channel->close();
98 }
99
100 void tls_alert(Botan::TLS::Alert alert) override
101 {
102 errx(1, "alert: %s", alert.type_string().c_str());
103 }
104
105 bool tls_session_established(const Botan::TLS::Session& session)
106 override
107 {
108 cout <<"established" <<endl <<flush;
109 return false;
110 }
111
112 void set_channel(Botan::TLS::Channel &channel) {
113 m_channel = &channel;
114 }
115
116protected:
117 int m_socket = -1;
118 Botan::TLS::Channel *m_channel = nullptr;
119};
120
121class Credentials : public Botan::Credentials_Manager {
122public:
123 std::vector<Botan::Certificate_Store*> trusted_certificate_authorities(
124 const std::string &type, const std::string &context)
125 override
126 {
127 std::vector<Botan::Certificate_Store*> cs { &m_ca };
128 return cs;
129 }
130
131 void add_certificate_file(const std::string &file) {
132 Botan::X509_Certificate cert(file);
133 m_ca.add_certificate(cert);
134 }
135private:
136 Botan::Certificate_Store_In_Memory m_ca;
137};
138
139class Policy : public Botan::TLS::Strict_Policy {
140public:
141 bool require_cert_revocation_info() const override {
142 return false;
143 }
144};
145
146void __dead
147usage(void)
148{
149 fprintf(stderr, "usage: client [-C CA] host port\n");
150 exit(2);
151}
152
153int
154main(int argc, char *argv[])
155{
156 struct addrinfo hints, *res;
157 int ch, s, error;
158 char buf[256];
159 char *cafile = NULL;
160 char *host, *port;
161
162 while ((ch = getopt(argc, argv, "C:")) != -1) {
163 switch (ch) {
164 case 'C':
165 cafile = optarg;
166 break;
167 default:
168 usage();
169 }
170 }
171 argc -= optind;
172 argv += optind;
173 if (argc == 2) {
174 host = argv[0];
175 port = argv[1];
176 } else {
177 usage();
178 }
179
180 memset(&hints, 0, sizeof(hints));
181 hints.ai_family = AF_INET;
182 hints.ai_socktype = SOCK_STREAM;
183 error = getaddrinfo(host, port, &hints, &res);
184 if (error)
185 errx(1, "getaddrinfo: %s", gai_strerror(error));
186 if (res == NULL)
187 errx(1, "getaddrinfo empty");
188 s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
189 if (s == -1)
190 err(1, "socket");
191 if (connect(s, res->ai_addr, res->ai_addrlen) == -1)
192 err(1, "connect");
193 freeaddrinfo(res);
194
195 {
196 Callbacks callbacks(s);
197 Botan::AutoSeeded_RNG rng;
198 Botan::TLS::Session_Manager_In_Memory session_mgr(rng);
199 Credentials creds;
200 if (cafile != NULL)
201 creds.add_certificate_file(cafile);
202 Policy policy;
203
204 callbacks.print_sockname();
205 callbacks.print_peername();
206 Botan::TLS::Client client(callbacks, session_mgr, creds,
207 policy, rng);
208 callbacks.set_channel(client);
209
210 while (!client.is_closed()) {
211 ssize_t n;
212
213 n = recv(s, buf, sizeof(buf), 0);
214 if (n < 0)
215 err(1, "recv");
216 if (n == 0)
217 errx(1, "eof");
218 client.received_data((uint8_t *)&buf, n);
219 }
220 }
221
222 if (close(s) == -1)
223 err(1, "close");
224
225 cout <<"success" <<endl;
226
227 return 0;
228}
diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile
deleted file mode 100644
index a8ea88aaa3..0000000000
--- a/src/regress/lib/libssl/interop/cert/Makefile
+++ /dev/null
@@ -1,87 +0,0 @@
1# $OpenBSD: Makefile,v 1.6 2020/12/17 00:51:11 bluhm Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1. Create client and server certificates
5# that are signed by a CA and not signed by a fake CA. Try all
6# combinations with, without, and with wrong CA for client and server
7# and check the result of certificate verification.
8
9LIBRARIES = libressl
10.if exists(/usr/local/bin/eopenssl)
11LIBRARIES += openssl
12.endif
13.if exists(/usr/local/bin/eopenssl11)
14LIBRARIES += openssl11
15.endif
16
17.for cca in noca ca fakeca
18.for sca in noca ca fakeca
19.for ccert in nocert cert
20.for scert in nocert cert
21.for cv in noverify verify
22.for sv in noverify verify certverify
23
24# remember when certificate verification should fail
25.if (("${cv}" == verify && "${cca}" == ca && "${scert}" == cert) || \
26 "${cv}" == noverify) && \
27 (("${sv}" == verify && "${ccert}" == nocert) || \
28 ("${sv}" == verify && "${sca}" == ca && "${ccert}" == cert) || \
29 ("${sv}" == certverify && "${sca}" == ca && "${ccert}" == cert) || \
30 "${sv}" == noverify)
31FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv} =
32.else
33FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv} = !
34.endif
35
36.for clib in ${LIBRARIES}
37.for slib in ${LIBRARIES}
38
39.if ("${clib}" == "libressl" || "${slib}" == "libressl")
40REGRESS_TARGETS += run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}
41.else
42REGRESS_SLOW_TARGETS += run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}
43.endif
44
45run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}: \
46 127.0.0.1.crt ca.crt fake-ca.crt client.crt server.crt \
47 ../${clib}/client ../${slib}/server
48 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
49 ../${slib}/server >${@:S/^run/server/}.out \
50 ${sca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \
51 ${scert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \
52 ${sv:S/^noverify//:S/^verify/-v/:S/^certverify/-vv/} \
53 127.0.0.1 0
54 ${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}} \
55 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
56 ../${clib}/client >${@:S/^run/client/}.out \
57 ${cca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \
58 ${ccert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \
59 ${cv:S/^noverify//:S/^verify/-v/} \
60 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
61.if empty(${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}})
62 grep '^success$$' ${@:S/^run/server/}.out || \
63 { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; }
64 grep '^success$$' ${@:S/^run/client/}.out
65.elif ! ("${sv}" == certverify && "${ccert}" == nocert) || \
66 ("${cv}" == verify && "${scert}" != cert)
67 grep '^verify: fail' ${@:S/^run/client/}.out ${@:S/^run/server/}.out
68.endif
69
70.endfor
71.endfor
72.endfor
73.endfor
74.endfor
75.endfor
76.endfor
77.endfor
78
79# argument list too long for a single rm *
80
81clean: _SUBDIRUSE
82 rm -f client-*.out
83 rm -f server-*.out
84 rm -f a.out [Ee]rrs mklog *.core y.tab.h \
85 ${PROG} ${PROGS} ${OBJS} ${_LEXINTM} ${_YACCINTM} ${CLEANFILES}
86
87.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
deleted file mode 100644
index c88309962d..0000000000
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ /dev/null
@@ -1,170 +0,0 @@
1# $OpenBSD: Makefile,v 1.7 2020/12/17 00:51:11 bluhm Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers
5# and pin client and server to one of the ciphers. Use server
6# certificate with compatible type. Check that client and server
7# have used correct cipher by grepping in their session print out.
8
9run-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl \
10run-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl \
11client-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl.out \
12client-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl.out \
13server-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl.out \
14server-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl.out \
15check-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl \
16check-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl:
17 # gost does not work with libressl TLS 1.3 right now
18 @echo DISABLED
19
20LIBRARIES = libressl
21.if exists(/usr/local/bin/eopenssl)
22LIBRARIES += openssl
23.endif
24.if exists(/usr/local/bin/eopenssl11)
25LIBRARIES += openssl11
26.endif
27
28CLEANFILES = *.tmp *.ciphers ciphers.mk
29
30.for clib in ${LIBRARIES}
31client-${clib}.ciphers:
32 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
33 ../${clib}/client -l ALL -L >$@.tmp
34 sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
35 rm $@.tmp
36.endfor
37.for slib in ${LIBRARIES}
38server-${slib}.ciphers: 127.0.0.1.crt dsa.crt ec.crt rsa.crt
39 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
40 ../${slib}/server -l ALL -L >$@.tmp
41 sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
42 rm $@.tmp
43.endfor
44
45.for clib in ${LIBRARIES}
46.for slib in ${LIBRARIES}
47ciphers.mk: client-${clib}-server-${slib}.ciphers
48client-${clib}-server-${slib}.ciphers: \
49 client-${clib}.ciphers server-${slib}.ciphers client-libressl.ciphers
50 # get ciphers shared between client and server
51 sort client-${clib}.ciphers server-${slib}.ciphers >$@.tmp
52 uniq -d <$@.tmp >$@
53 # we are only interested in ciphers supported by libressl
54 sort $@ client-libressl.ciphers >$@.tmp
55 uniq -d <$@.tmp >$@
56 rm $@.tmp
57.endfor
58.endfor
59
60ciphers.mk:
61 rm -f $@ $@.tmp
62.for clib in ${LIBRARIES}
63.for slib in ${LIBRARIES}
64 echo 'CIPHERS_${clib}_${slib} =' >>$@.tmp \
65 `cat client-${clib}-server-${slib}.ciphers`
66.endfor
67.endfor
68 mv $@.tmp $@
69
70# hack to convert generated lists into usable make variables
71.if exists(ciphers.mk)
72.include "ciphers.mk"
73.else
74regress: ciphers.mk
75 ${MAKE} -C ${.CURDIR} regress
76.endif
77
78LEVEL_libressl =
79LEVEL_openssl =
80LEVEL_openssl11 = ,@SECLEVEL=0
81
82.for clib in ${LIBRARIES}
83.for slib in ${LIBRARIES}
84.for cipher in ${CIPHERS_${clib}_${slib}}
85
86.if "${cipher:M*-DSS-*}" != ""
87TYPE_${cipher} = dsa
88.elif "${cipher:M*-ECDSA-*}" != ""
89TYPE_${cipher} = ec
90.elif "${cipher:M*-GOST89-*}" != ""
91TYPE_${cipher} = gost
92.elif "${cipher:M*-RSA-*}" != ""
93TYPE_${cipher} = rsa
94.else
95TYPE_${cipher} = 127.0.0.1
96.endif
97
98.if "${slib}" == "openssl" && \
99 "${cipher:MADH-*}${cipher:MEDH-*}${cipher:MDHE-*}" != ""
100DHPARAM_${cipher}_${slib} = -p dh.param
101.else
102DHPARAM_${cipher}_${slib} =
103.endif
104
105.if ("${clib}" == "libressl" || "${slib}" == "libressl")
106REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib}
107.else
108REGRESS_SLOW_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib}
109.endif
110run-cipher-${cipher}-client-${clib}-server-${slib} \
111client-cipher-${cipher}-client-${clib}-server-${slib}.out \
112server-cipher-${cipher}-client-${clib}-server-${slib}.out: dh.param \
113 127.0.0.1.crt ${TYPE_${cipher}}.crt ../${clib}/client ../${slib}/server
114 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
115 ../${slib}/server >${@:S/^run/server/}.out \
116 -c ${TYPE_${cipher}}.crt -k ${TYPE_${cipher}}.key \
117 -l ${cipher}${LEVEL_${slib}} ${DHPARAM_${cipher}_${slib}} \
118 127.0.0.1 0
119 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
120 ../${clib}/client >${@:S/^run/client/}.out \
121 -l ${cipher}${LEVEL_${clib}} \
122 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
123 grep -q '^success$$' ${@:S/^run/server/}.out || \
124 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
125 grep -q '^success$$' ${@:S/^run/client/}.out
126
127.if ("${clib}" == "libressl" || "${slib}" == "libressl")
128REGRESS_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib}
129.else
130REGRESS_SLOW_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib}
131.endif
132check-cipher-${cipher}-client-${clib}-server-${slib}: \
133 client-cipher-${cipher}-client-${clib}-server-${slib}.out \
134 server-cipher-${cipher}-client-${clib}-server-${slib}.out
135.if "${clib}" != "openssl" && "${slib}" != "openssl" && \
136 "${cipher:C/AEAD-(AES.*-GCM|CHACHA.*-POLY.*)-SHA.*/TLS1_3/}" != TLS1_3
137 # client and server 1.3 capable, not TLS 1.3 cipher
138. if "${clib}" == "libressl"
139 # libressl client may prefer chacha-poly if aes-ni is not supported
140 egrep -q ' Cipher *: AEAD-(AES256-GCM-SHA384|CHACHA20-POLY1305-SHA256)$$' ${@:S/^check/client/}.out
141. else
142 # openssl 1.1 generic client cipher
143 grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/client/}.out
144. endif
145. if "${clib}" == "libressl"
146 # libressl client may prefer chacha-poly if aes-ni is not supported
147. if "${slib}" == "openssl11"
148 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
149. else
150 egrep -q ' Cipher *: AEAD-(AES256-GCM-SHA384|CHACHA20-POLY1305-SHA256)$$' ${@:S/^check/server/}.out
151. endif
152. else
153. if "${slib}" == "openssl11"
154 # openssl 1.1 generic server cipher
155 grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/server/}.out
156. else
157 # libressl generic server cipher
158 grep -q ' Cipher *: AEAD-AES256-GCM-SHA384$$' ${@:S/^check/server/}.out
159. endif
160. endif
161.else
162 grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out
163 grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
164.endif
165
166.endfor
167.endfor
168.endfor
169
170.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c
deleted file mode 100644
index a8e66c2876..0000000000
--- a/src/regress/lib/libssl/interop/client.c
+++ /dev/null
@@ -1,273 +0,0 @@
1/* $OpenBSD: client.c,v 1.10 2020/09/14 00:51:04 bluhm Exp $ */
2/*
3 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <stdio.h>
24#include <string.h>
25#include <unistd.h>
26
27#include <openssl/err.h>
28#include <openssl/ssl.h>
29
30#include "util.h"
31
32void __dead usage(void);
33
34void __dead
35usage(void)
36{
37 fprintf(stderr, "usage: client [-Lsv] [-C CA] [-c crt -k key] "
38 "[-l ciphers] [-V version] host port\n");
39 exit(2);
40}
41
42int
43main(int argc, char *argv[])
44{
45 const SSL_METHOD *method;
46 SSL_CTX *ctx;
47 SSL *ssl;
48 BIO *bio;
49 SSL_SESSION *session = NULL;
50 int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
51 int version = 0;
52 char buf[256];
53 char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
54 char *host_port, *host = "127.0.0.1", *port = "0";
55
56 while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) {
57 switch (ch) {
58 case 'C':
59 ca = optarg;
60 break;
61 case 'c':
62 crt = optarg;
63 break;
64 case 'k':
65 key = optarg;
66 break;
67 case 'L':
68 listciphers = 1;
69 break;
70 case 'l':
71 ciphers = optarg;
72 break;
73 case 's':
74 /* multiple reueses are possible */
75 sessionreuse++;
76 break;
77 case 'V':
78 if (strcmp(optarg, "TLS1") == 0) {
79 version = TLS1_VERSION;
80 } else if (strcmp(optarg, "TLS1_1") == 0) {
81 version = TLS1_1_VERSION;
82 } else if (strcmp(optarg, "TLS1_2") == 0) {
83 version = TLS1_2_VERSION;
84#ifdef TLS1_3_VERSION
85 } else if (strcmp(optarg, "TLS1_3") == 0) {
86 version = TLS1_3_VERSION;
87#endif
88 } else {
89 errx(1, "unknown protocol version: %s", optarg);
90 }
91 break;
92 case 'v':
93 verify = 1;
94 break;
95 default:
96 usage();
97 }
98 }
99 argc -= optind;
100 argv += optind;
101 if (argc == 2) {
102 host = argv[0];
103 port = argv[1];
104 } else if (!listciphers) {
105 usage();
106 }
107 if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
108 host, port) == -1)
109 err(1, "asprintf host port");
110 if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL))
111 errx(1, "certificate and private key must be used together");
112
113 SSL_library_init();
114 SSL_load_error_strings();
115 print_version();
116
117 /* setup method and context */
118#if OPENSSL_VERSION_NUMBER >= 0x1010000f
119 method = TLS_client_method();
120 if (method == NULL)
121 err_ssl(1, "TLS_client_method");
122#else
123 switch (version) {
124 case TLS1_VERSION:
125 method = TLSv1_client_method();
126 break;
127 case TLS1_1_VERSION:
128 method = TLSv1_1_client_method();
129 break;
130 case TLS1_2_VERSION:
131 method = TLSv1_2_client_method();
132 break;
133#ifdef TLS1_3_VERSION
134 case TLS1_3_VERSION:
135 err(1, "TLS1_3 not supported");
136#endif
137 default:
138 method = SSLv23_client_method();
139 break;
140 }
141 if (method == NULL)
142 err_ssl(1, "SSLv23_client_method");
143#endif
144 ctx = SSL_CTX_new(method);
145 if (ctx == NULL)
146 err_ssl(1, "SSL_CTX_new");
147
148#if OPENSSL_VERSION_NUMBER >= 0x1010000f
149 if (version) {
150 if (SSL_CTX_set_min_proto_version(ctx, version) != 1)
151 err_ssl(1, "SSL_CTX_set_min_proto_version");
152 if (SSL_CTX_set_max_proto_version(ctx, version) != 1)
153 err_ssl(1, "SSL_CTX_set_max_proto_version");
154 }
155#endif
156
157 /* load client certificate */
158 if (crt != NULL) {
159 if (SSL_CTX_use_certificate_file(ctx, crt,
160 SSL_FILETYPE_PEM) <= 0)
161 err_ssl(1, "SSL_CTX_use_certificate_file");
162 if (SSL_CTX_use_PrivateKey_file(ctx, key,
163 SSL_FILETYPE_PEM) <= 0)
164 err_ssl(1, "SSL_CTX_use_PrivateKey_file");
165 if (SSL_CTX_check_private_key(ctx) <= 0)
166 err_ssl(1, "SSL_CTX_check_private_key");
167 }
168
169 /* verify server certificate */
170 if (ca != NULL) {
171 if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0)
172 err_ssl(1, "SSL_CTX_load_verify_locations");
173 }
174 SSL_CTX_set_verify(ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
175 verify_callback);
176
177 if (sessionreuse) {
178 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
179 }
180
181 if (ciphers) {
182 if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0)
183 err_ssl(1, "SSL_CTX_set_cipher_list");
184 }
185
186 if (listciphers) {
187 ssl = SSL_new(ctx);
188 if (ssl == NULL)
189 err_ssl(1, "SSL_new");
190 print_ciphers(SSL_get_ciphers(ssl));
191 return 0;
192 }
193
194 do {
195 /* setup bio for socket operations */
196 bio = BIO_new_connect(host_port);
197 if (bio == NULL)
198 err_ssl(1, "BIO_new_connect");
199
200 /* connect */
201 if (BIO_do_connect(bio) <= 0)
202 err_ssl(1, "BIO_do_connect");
203 printf("connect ");
204 print_sockname(bio);
205 printf("connect ");
206 print_peername(bio);
207
208 /* do ssl client handshake */
209 ssl = SSL_new(ctx);
210 if (ssl == NULL)
211 err_ssl(1, "SSL_new");
212 SSL_set_bio(ssl, bio, bio);
213 /* resuse session if possible */
214 if (session != NULL) {
215 if (SSL_set_session(ssl, session) <= 0)
216 err_ssl(1, "SSL_set_session");
217 }
218 if ((error = SSL_connect(ssl)) <= 0)
219 err_ssl(1, "SSL_connect %d", error);
220 printf("session %d: %s\n", sessionreuse,
221 SSL_session_reused(ssl) ? "reuse" : "new");
222 if (fflush(stdout) != 0)
223 err(1, "fflush stdout");
224
225 /* print session statistics */
226 if (sessionreuse) {
227 session = SSL_get1_session(ssl);
228 if (session == NULL)
229 err_ssl(1, "SSL1_get_session");
230 } else {
231 session = SSL_get_session(ssl);
232 if (session == NULL)
233 err_ssl(1, "SSL_get_session");
234 }
235 if (SSL_SESSION_print_fp(stdout, session) <= 0)
236 err_ssl(1, "SSL_SESSION_print_fp");
237
238 /* read server greeting and write client hello over TLS */
239 if ((error = SSL_read(ssl, buf, 9)) <= 0)
240 err_ssl(1, "SSL_read %d", error);
241 if (error != 9)
242 errx(1, "read not 9 bytes greeting: %d", error);
243 buf[9] = '\0';
244 printf("<<< %s", buf);
245 if (fflush(stdout) != 0)
246 err(1, "fflush stdout");
247 strlcpy(buf, "hello\n", sizeof(buf));
248 printf(">>> %s", buf);
249 if (fflush(stdout) != 0)
250 err(1, "fflush stdout");
251 if ((error = SSL_write(ssl, buf, 6)) <= 0)
252 err_ssl(1, "SSL_write %d", error);
253 if (error != 6)
254 errx(1, "write not 6 bytes hello: %d", error);
255
256 /* shutdown connection */
257 if ((error = SSL_shutdown(ssl)) < 0)
258 err_ssl(1, "SSL_shutdown unidirectional %d", error);
259 if (error <= 0) {
260 if ((error = SSL_shutdown(ssl)) <= 0)
261 err_ssl(1, "SSL_shutdown bidirectional %d",
262 error);
263 }
264
265 SSL_free(ssl);
266 } while (sessionreuse--);
267
268 SSL_CTX_free(ctx);
269
270 printf("success\n");
271
272 return 0;
273}
diff --git a/src/regress/lib/libssl/interop/libressl/Makefile b/src/regress/lib/libssl/interop/libressl/Makefile
deleted file mode 100644
index d8e20ca122..0000000000
--- a/src/regress/lib/libssl/interop/libressl/Makefile
+++ /dev/null
@@ -1,34 +0,0 @@
1# $OpenBSD: Makefile,v 1.9 2020/12/25 10:50:08 tb Exp $
2
3PROGS = client server
4CFLAGS += -DLIBRESSL_HAS_TLS1_3
5CPPFLAGS +=
6LDFLAGS +=
7LDADD += -lssl -lcrypto
8DPADD += ${LIBSSL} ${LIBCRYPTO}
9LD_LIBRARY_PATH =
10REGRESS_TARGETS = run-self-client-server
11.for p in ${PROGS}
12REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
13.endfor
14
15.for p in ${PROGS}
16
17run-ldd-$p: ldd-$p.out
18 # check that $p is linked with LibreSSL
19 grep -q /usr/lib/libcrypto.so ldd-$p.out
20 grep -q /usr/lib/libssl.so ldd-$p.out
21 # check that $p is not linked with OpenSSL
22 ! grep /usr/local/lib/ ldd-$p.out
23
24run-version-$p: $p-self.out
25 # check that runtime version is LibreSSL
26 grep 'SSLEAY_VERSION: LibreSSL' $p-self.out
27
28run-protocol-$p: $p-self.out
29 # check that LibreSSL protocol version is TLS 1.3
30 grep 'Protocol *: TLSv1.3' $p-self.out
31
32.endfor
33
34.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/netcat/Makefile b/src/regress/lib/libssl/interop/netcat/Makefile
deleted file mode 100644
index f337d4aae8..0000000000
--- a/src/regress/lib/libssl/interop/netcat/Makefile
+++ /dev/null
@@ -1,84 +0,0 @@
1# $OpenBSD: Makefile,v 1.5 2020/12/17 00:51:11 bluhm Exp $
2
3LIBRARIES = libressl
4.if exists(/usr/local/bin/eopenssl)
5LIBRARIES += openssl
6.endif
7.if exists(/usr/local/bin/eopenssl11)
8LIBRARIES += openssl11
9.endif
10
11# run netcat server and connect with test client
12
13.for clib in ${LIBRARIES}
14
15REGRESS_TARGETS += run-netcat-client-${clib}-server-nc
16REGRESS_TARGETS += run-protocol-client-${clib}
17
18run-netcat-client-${clib}-server-nc: ../${clib}/client 127.0.0.1.crt
19 echo "greeting" | \
20 nc >${@:S/^run/server/}.out \
21 -l -c -C 127.0.0.1.crt -K 127.0.0.1.key \
22 127.0.0.1 0 & \
23 for i in `jot 1000`; do fstat -p $$! >netcat.fstat; \
24 grep -q ' stream tcp .*:[1-9][0-9]*$$' netcat.fstat && \
25 exit 0; done; exit 1
26 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
27 ../${clib}/client >${@:S/^run/client/}.out \
28 `sed -n 's/.* stream tcp .*:/127.0.0.1 /p' netcat.fstat`
29 # check that the client run successfully to the end
30 grep -q '^success$$' ${@:S/^run/client/}.out
31 # client must have read server greeting
32 grep -q '^<<< greeting$$' ${@:S/^run/client/}.out
33 # netstat server must have read client hello
34 grep -q '^hello$$' ${@:S/^run/server/}.out
35
36.endfor
37
38# run test server and connect with netcat client
39
40.for slib in ${LIBRARIES}
41
42REGRESS_TARGETS += run-netcat-client-nc-server-${slib}
43
44run-netcat-client-nc-server-${slib}: ../${slib}/server 127.0.0.1.crt
45 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
46 ../${slib}/server >${@:S/^run/server/}.out \
47 127.0.0.1 0
48 echo "hello" | \
49 nc >${@:S/^run/client/}.out \
50 -c -R 127.0.0.1.crt \
51 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
52 # check that the server child run successfully to the end
53 grep -q '^success$$' ${@:S/^run/server/}.out || \
54 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
55 # server must have read client hello
56 grep -q '^<<< hello$$' ${@:S/^run/server/}.out
57 # client must have read server greeting
58 grep -q '^greeting$$' ${@:S/^run/client/}.out
59
60.endfor
61
62# check the TLS protocol version in client and server logs
63
64.for clib in ${LIBRARIES}
65
66REGRESS_TARGETS += run-protocol-client-${clib}
67
68run-protocol-client-${clib}: client-netcat-client-${clib}-server-nc.out
69 # check that LibTLS protocol version is TLS 1.2 or TLS 1.3
70 grep 'Protocol *: TLSv1.[23]' client-netcat-client-${clib}-server-nc.out
71
72.endfor
73
74.for slib in ${LIBRARIES}
75
76REGRESS_TARGETS += run-protocol-server-${slib}
77
78run-protocol-server-${slib}: server-netcat-client-nc-server-${slib}.out
79 # check that LibTLS protocol version is TLS 1.2 or TLS 1.3
80 grep 'Protocol *: TLSv1.[23]' server-netcat-client-nc-server-${slib}.out
81
82.endfor
83
84.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl/Makefile b/src/regress/lib/libssl/interop/openssl/Makefile
deleted file mode 100644
index 181d35aa02..0000000000
--- a/src/regress/lib/libssl/interop/openssl/Makefile
+++ /dev/null
@@ -1,42 +0,0 @@
1# $OpenBSD: Makefile,v 1.8 2020/12/17 00:51:11 bluhm Exp $
2
3.if ! exists(/usr/local/bin/eopenssl)
4regress:
5 # install openssl-1.0.2 from ports for interop tests
6 @echo SKIPPED
7.else
8
9PROGS = client server
10CPPFLAGS = -I /usr/local/include/eopenssl
11LDFLAGS = -L /usr/local/lib/eopenssl
12LDADD = -lssl -lcrypto
13DPADD = /usr/local/lib/eopenssl/libssl.a \
14 /usr/local/lib/eopenssl/libcrypto.a
15LD_LIBRARY_PATH = /usr/local/lib/eopenssl
16REGRESS_TARGETS = run-self-client-server
17.for p in ${PROGS}
18REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
19.endfor
20
21.for p in ${PROGS}
22
23run-ldd-$p: ldd-$p.out
24 # check that $p is linked with OpenSSL
25 grep -q /usr/local/lib/eopenssl/libcrypto.so ldd-$p.out
26 grep -q /usr/local/lib/eopenssl/libssl.so ldd-$p.out
27 # check that $p is not linked with LibreSSL
28 ! grep -v libc.so ldd-$p.out | grep /usr/lib/
29
30run-version-$p: $p-self.out
31 # check that runtime version is OpenSSL 1.0.2
32 grep 'SSLEAY_VERSION: OpenSSL 1.0.2' $p-self.out
33
34run-protocol-$p: $p-self.out
35 # check that OpenSSL 1.0.2 protocol version is TLS 1.2
36 grep 'Protocol *: TLSv1.2' $p-self.out
37
38.endfor
39
40.endif # exists(/usr/local/bin/eopenssl)
41
42.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl11/Makefile b/src/regress/lib/libssl/interop/openssl11/Makefile
deleted file mode 100644
index 32fd611ae4..0000000000
--- a/src/regress/lib/libssl/interop/openssl11/Makefile
+++ /dev/null
@@ -1,42 +0,0 @@
1# $OpenBSD: Makefile,v 1.7 2020/12/17 00:51:11 bluhm Exp $
2
3.if ! exists(/usr/local/bin/eopenssl11)
4regress:
5 # install openssl-1.1 from ports for interop tests
6 @echo SKIPPED
7.else
8
9PROGS = client server
10CPPFLAGS = -I /usr/local/include/eopenssl11
11LDFLAGS = -L /usr/local/lib/eopenssl11
12LDADD = -lssl -lcrypto
13DPADD = /usr/local/lib/eopenssl11/libssl.a \
14 /usr/local/lib/eopenssl11/libcrypto.a
15LD_LIBRARY_PATH = /usr/local/lib/eopenssl11
16REGRESS_TARGETS = run-self-client-server
17.for p in ${PROGS}
18REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
19.endfor
20
21.for p in ${PROGS}
22
23run-ldd-$p: ldd-$p.out
24 # check that $p is linked with OpenSSL 1.1
25 grep -q /usr/local/lib/eopenssl11/libcrypto.so ldd-$p.out
26 grep -q /usr/local/lib/eopenssl11/libssl.so ldd-$p.out
27 # check that $p is not linked with LibreSSL
28 ! grep -v libc.so ldd-$p.out | grep /usr/lib/
29
30run-version-$p: $p-self.out
31 # check that runtime version is OpenSSL 1.1
32 grep 'SSLEAY_VERSION: OpenSSL 1.1' $p-self.out
33
34run-protocol-$p: $p-self.out
35 # check that OpenSSL 1.1 protocol version is TLS 1.3
36 grep 'Protocol *: TLSv1.3' $p-self.out
37
38.endfor
39
40.endif # exists(/usr/local/bin/eopenssl11)
41
42.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c
deleted file mode 100644
index 68e277a87b..0000000000
--- a/src/regress/lib/libssl/interop/server.c
+++ /dev/null
@@ -1,320 +0,0 @@
1/* $OpenBSD: server.c,v 1.10 2021/07/06 11:50:34 bluhm Exp $ */
2/*
3 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <stdio.h>
24#include <stdlib.h>
25#include <string.h>
26#include <unistd.h>
27
28#include <openssl/err.h>
29#include <openssl/ssl.h>
30
31#include "util.h"
32
33void __dead usage(void);
34
35void __dead
36usage(void)
37{
38 fprintf(stderr, "usage: server [-Lsvv] [-C CA] [-c crt -k key] "
39 "[-l ciphers] [-p dhparam] [-V version] [host port]\n");
40 exit(2);
41}
42
43int
44main(int argc, char *argv[])
45{
46 const SSL_METHOD *method;
47 SSL_CTX *ctx;
48 SSL *ssl;
49 BIO *abio, *cbio;
50 SSL_SESSION *session;
51 int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
52 int version = 0;
53 char buf[256], *dhparam = NULL;
54 char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
55 char *host_port, *host = "127.0.0.1", *port = "0";
56
57 while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) {
58 switch (ch) {
59 case 'C':
60 ca = optarg;
61 break;
62 case 'c':
63 crt = optarg;
64 break;
65 case 'k':
66 key = optarg;
67 break;
68 case 'L':
69 listciphers = 1;
70 break;
71 case 'l':
72 ciphers = optarg;
73 break;
74 case 'p':
75 dhparam = optarg;
76 break;
77 case 's':
78 /* multiple reueses are possible */
79 sessionreuse++;
80 break;
81 case 'V':
82 if (strcmp(optarg, "TLS1") == 0) {
83 version = TLS1_VERSION;
84 } else if (strcmp(optarg, "TLS1_1") == 0) {
85 version = TLS1_1_VERSION;
86 } else if (strcmp(optarg, "TLS1_2") == 0) {
87 version = TLS1_2_VERSION;
88#ifdef TLS1_3_VERSION
89 } else if (strcmp(optarg, "TLS1_3") == 0) {
90 version = TLS1_3_VERSION;
91#endif
92 } else {
93 errx(1, "unknown protocol version: %s", optarg);
94 }
95 break;
96 case 'v':
97 /* use twice to force client cert */
98 verify++;
99 break;
100 default:
101 usage();
102 }
103 }
104 argc -= optind;
105 argv += optind;
106 if (argc == 2) {
107 host = argv[0];
108 port = argv[1];
109 } else if (argc != 0 && !listciphers) {
110 usage();
111 }
112 if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
113 host, port) == -1)
114 err(1, "asprintf host port");
115 if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL))
116 errx(1, "certificate and private key must be used together");
117 if (crt == NULL && asprintf(&crt, "%s.crt", host) == -1)
118 err(1, "asprintf crt");
119 if (key == NULL && asprintf(&key, "%s.key", host) == -1)
120 err(1, "asprintf key");
121
122 SSL_library_init();
123 SSL_load_error_strings();
124 print_version();
125
126 /* setup method and context */
127#if OPENSSL_VERSION_NUMBER >= 0x1010000f
128 method = TLS_server_method();
129 if (method == NULL)
130 err_ssl(1, "TLS_server_method");
131#else
132 switch (version) {
133 case TLS1_VERSION:
134 method = TLSv1_server_method();
135 break;
136 case TLS1_1_VERSION:
137 method = TLSv1_1_server_method();
138 break;
139 case TLS1_2_VERSION:
140 method = TLSv1_2_server_method();
141 break;
142#ifdef TLS1_3_VERSION
143 case TLS1_3_VERSION:
144 err(1, "TLS1_3 not supported");
145#endif
146 default:
147 method = SSLv23_server_method();
148 break;
149 }
150 if (method == NULL)
151 err_ssl(1, "SSLv23_server_method");
152#endif
153 ctx = SSL_CTX_new(method);
154 if (ctx == NULL)
155 err_ssl(1, "SSL_CTX_new");
156
157#if OPENSSL_VERSION_NUMBER >= 0x1010000f
158 if (version) {
159 if (SSL_CTX_set_min_proto_version(ctx, version) != 1)
160 err_ssl(1, "SSL_CTX_set_min_proto_version");
161 if (SSL_CTX_set_max_proto_version(ctx, version) != 1)
162 err_ssl(1, "SSL_CTX_set_max_proto_version");
163 }
164#endif
165
166#if OPENSSL_VERSION_NUMBER >= 0x10100000
167 /* needed to use DHE cipher with libressl */
168 if (SSL_CTX_set_dh_auto(ctx, 1) <= 0)
169 err_ssl(1, "SSL_CTX_set_dh_auto");
170#endif
171 /* needed to use ADH, EDH, DHE cipher with openssl */
172 if (dhparam != NULL) {
173 DH *dh;
174 FILE *file;
175
176 file = fopen(dhparam, "r");
177 if (file == NULL)
178 err(1, "fopen %s", dhparam);
179 dh = PEM_read_DHparams(file, NULL, NULL, NULL);
180 if (dh == NULL)
181 err_ssl(1, "PEM_read_DHparams");
182 if (SSL_CTX_set_tmp_dh(ctx, dh) <= 0)
183 err_ssl(1, "SSL_CTX_set_tmp_dh");
184 fclose(file);
185 }
186
187 /* needed when linking with OpenSSL 1.0.2p */
188 if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0)
189 err_ssl(1, "SSL_CTX_set_ecdh_auto");
190
191 /* load server certificate */
192 if (SSL_CTX_use_certificate_file(ctx, crt, SSL_FILETYPE_PEM) <= 0)
193 err_ssl(1, "SSL_CTX_use_certificate_file");
194 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) <= 0)
195 err_ssl(1, "SSL_CTX_use_PrivateKey_file");
196 if (SSL_CTX_check_private_key(ctx) <= 0)
197 err_ssl(1, "SSL_CTX_check_private_key");
198
199 /* request client certificate and verify it */
200 if (ca != NULL) {
201 STACK_OF(X509_NAME) *x509stack;
202
203 x509stack = SSL_load_client_CA_file(ca);
204 if (x509stack == NULL)
205 err_ssl(1, "SSL_load_client_CA_file");
206 SSL_CTX_set_client_CA_list(ctx, x509stack);
207 if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0)
208 err_ssl(1, "SSL_CTX_load_verify_locations");
209 }
210 SSL_CTX_set_verify(ctx,
211 verify == 0 ? SSL_VERIFY_NONE :
212 verify == 1 ? SSL_VERIFY_PEER :
213 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
214 verify_callback);
215
216 if (sessionreuse) {
217 uint32_t context;
218
219 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
220 context = arc4random();
221 if (SSL_CTX_set_session_id_context(ctx,
222 (unsigned char *)&context, sizeof(context)) <= 0)
223 err_ssl(1, "SSL_CTX_set_session_id_context");
224 }
225
226 if (ciphers) {
227 if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0)
228 err_ssl(1, "SSL_CTX_set_cipher_list");
229 }
230
231 if (listciphers) {
232 ssl = SSL_new(ctx);
233 if (ssl == NULL)
234 err_ssl(1, "SSL_new");
235 print_ciphers(SSL_get_ciphers(ssl));
236 return 0;
237 }
238
239 /* setup bio for socket operations */
240 abio = BIO_new_accept(host_port);
241 if (abio == NULL)
242 err_ssl(1, "BIO_new_accept");
243
244 /* bind, listen */
245 if (BIO_do_accept(abio) <= 0)
246 err_ssl(1, "BIO_do_accept setup");
247 printf("listen ");
248 print_sockname(abio);
249
250 /* fork to background and set timeout */
251 if (daemon(1, 1) == -1)
252 err(1, "daemon");
253 alarm(10);
254
255 do {
256 /* accept connection */
257 if (BIO_do_accept(abio) <= 0)
258 err_ssl(1, "BIO_do_accept wait");
259 cbio = BIO_pop(abio);
260 printf("accept ");
261 print_sockname(cbio);
262 printf("accept ");
263 print_peername(cbio);
264
265 /* do ssl server handshake */
266 ssl = SSL_new(ctx);
267 if (ssl == NULL)
268 err_ssl(1, "SSL_new");
269 SSL_set_bio(ssl, cbio, cbio);
270 if ((error = SSL_accept(ssl)) <= 0)
271 err_ssl(1, "SSL_accept %d", error);
272 printf("session %d: %s\n", sessionreuse,
273 SSL_session_reused(ssl) ? "reuse" : "new");
274 if (fflush(stdout) != 0)
275 err(1, "fflush stdout");
276
277
278 /* print session statistics */
279 session = SSL_get_session(ssl);
280 if (session == NULL)
281 err_ssl(1, "SSL_get_session");
282 if (SSL_SESSION_print_fp(stdout, session) <= 0)
283 err_ssl(1, "SSL_SESSION_print_fp");
284
285 /* write server greeting and read client hello over TLS */
286 strlcpy(buf, "greeting\n", sizeof(buf));
287 printf(">>> %s", buf);
288 if (fflush(stdout) != 0)
289 err(1, "fflush stdout");
290 if ((error = SSL_write(ssl, buf, 9)) <= 0)
291 err_ssl(1, "SSL_write %d", error);
292 if (error != 9)
293 errx(1, "write not 9 bytes greeting: %d", error);
294 if ((error = SSL_read(ssl, buf, 6)) <= 0)
295 err_ssl(1, "SSL_read %d", error);
296 if (error != 6)
297 errx(1, "read not 6 bytes hello: %d", error);
298 buf[6] = '\0';
299 printf("<<< %s", buf);
300 if (fflush(stdout) != 0)
301 err(1, "fflush stdout");
302
303 /* shutdown connection */
304 if ((error = SSL_shutdown(ssl)) < 0)
305 err_ssl(1, "SSL_shutdown unidirectional %d", error);
306 if (error <= 0) {
307 if ((error = SSL_shutdown(ssl)) <= 0)
308 err_ssl(1, "SSL_shutdown bidirectional %d",
309 error);
310 }
311
312 SSL_free(ssl);
313 } while (sessionreuse--);
314
315 SSL_CTX_free(ctx);
316
317 printf("success\n");
318
319 return 0;
320}
diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile
deleted file mode 100644
index 12d3eb2af7..0000000000
--- a/src/regress/lib/libssl/interop/session/Makefile
+++ /dev/null
@@ -1,46 +0,0 @@
1# $OpenBSD: Makefile,v 1.6 2020/12/17 00:51:11 bluhm Exp $
2
3LIBRARIES = libressl
4.if exists(/usr/local/bin/eopenssl)
5LIBRARIES += openssl
6.endif
7.if exists(/usr/local/bin/eopenssl11)
8LIBRARIES += openssl11
9.endif
10
11run-session-client-libressl-server-libressl \
12run-session-client-libressl-server-openssl11 \
13run-session-client-openssl11-server-libressl \
14run-session-client-openssl11-server-openssl11:
15 # TLS 1.3 needs some extra setup for session reuse
16 @echo DISABLED
17
18.for clib in ${LIBRARIES}
19.for slib in ${LIBRARIES}
20
21REGRESS_TARGETS += run-session-client-${clib}-server-${slib}
22
23run-session-client-${clib}-server-${slib}: \
24 127.0.0.1.crt ../${clib}/client ../${slib}/server
25 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
26 ../${slib}/server >${@:S/^run/server/}.out \
27 -ss \
28 127.0.0.1 0
29 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
30 ../${clib}/client >${@:S/^run/client/}.out \
31 -ss \
32 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
33 grep '^success$$' ${@:S/^run/server/}.out || \
34 { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; }
35 grep '^success$$' ${@:S/^run/client/}.out
36 grep '^session 2: new$$' ${@:S/^run/server/}.out
37 grep '^session 2: new$$' ${@:S/^run/client/}.out
38 grep '^session 1: reuse$$' ${@:S/^run/server/}.out
39 grep '^session 1: reuse$$' ${@:S/^run/client/}.out
40 grep '^session 0: reuse$$' ${@:S/^run/server/}.out
41 grep '^session 0: reuse$$' ${@:S/^run/client/}.out
42
43.endfor
44.endfor
45
46.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/util.c b/src/regress/lib/libssl/interop/util.c
deleted file mode 100644
index 5190e81828..0000000000
--- a/src/regress/lib/libssl/interop/util.c
+++ /dev/null
@@ -1,145 +0,0 @@
1/* $OpenBSD: util.c,v 1.3 2018/11/09 06:30:41 bluhm Exp $ */
2/*
3 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <stdio.h>
24
25#include <openssl/err.h>
26#include <openssl/ssl.h>
27#include <openssl/opensslv.h>
28#include <openssl/crypto.h>
29
30#include "util.h"
31
32void
33print_version(void)
34{
35#ifdef OPENSSL_VERSION_NUMBER
36 printf("OPENSSL_VERSION_NUMBER: %#08lx\n", OPENSSL_VERSION_NUMBER);
37#endif
38#ifdef LIBRESSL_VERSION_NUMBER
39 printf("LIBRESSL_VERSION_NUMBER: %#08lx\n", LIBRESSL_VERSION_NUMBER);
40#endif
41#ifdef LIBRESSL_VERSION_TEXT
42 printf("LIBRESSL_VERSION_TEXT: %s\n", LIBRESSL_VERSION_TEXT);
43#endif
44#if OPENSSL_VERSION_NUMBER >= 0x1010000f
45 printf("OpenSSL_version_num: %#08lx\n", OpenSSL_version_num());
46 printf("OpenSSL_version OPENSSL_VERSION: %s\n",
47 OpenSSL_version(OPENSSL_VERSION));
48 printf("OpenSSL_version OPENSSL_CFLAGS: %s\n",
49 OpenSSL_version(OPENSSL_CFLAGS));
50 printf("OpenSSL_version OPENSSL_BUILT_ON: %s\n",
51 OpenSSL_version(OPENSSL_BUILT_ON));
52 printf("OpenSSL_version OPENSSL_PLATFORM: %s\n",
53 OpenSSL_version(OPENSSL_PLATFORM));
54 printf("OpenSSL_version OPENSSL_DIR: %s\n",
55 OpenSSL_version(OPENSSL_DIR));
56 printf("OpenSSL_version OPENSSL_ENGINES_DIR: %s\n",
57 OpenSSL_version(OPENSSL_ENGINES_DIR));
58#endif
59 printf("SSLeay: %#08lx\n", SSLeay());
60 printf("SSLeay_version SSLEAY_VERSION: %s\n",
61 SSLeay_version(SSLEAY_VERSION));
62 printf("SSLeay_version SSLEAY_CFLAGS: %s\n",
63 SSLeay_version(SSLEAY_CFLAGS));
64 printf("SSLeay_version SSLEAY_BUILT_ON: %s\n",
65 SSLeay_version(SSLEAY_BUILT_ON));
66 printf("SSLeay_version SSLEAY_PLATFORM: %s\n",
67 SSLeay_version(SSLEAY_PLATFORM));
68 printf("SSLeay_version SSLEAY_DIR: %s\n",
69 SSLeay_version(SSLEAY_DIR));
70}
71
72void
73print_ciphers(STACK_OF(SSL_CIPHER) *cstack)
74{
75 const SSL_CIPHER *cipher;
76 int i;
77
78 for (i = 0; (cipher = sk_SSL_CIPHER_value(cstack, i)) != NULL; i++)
79 printf("cipher %s\n", SSL_CIPHER_get_name(cipher));
80 if (fflush(stdout) != 0)
81 err(1, "fflush stdout");
82}
83
84void
85print_sockname(BIO *bio)
86{
87 struct sockaddr_storage ss;
88 socklen_t slen;
89 char host[NI_MAXHOST], port[NI_MAXSERV];
90 int fd;
91
92 if (BIO_get_fd(bio, &fd) <= 0)
93 err_ssl(1, "BIO_get_fd");
94 slen = sizeof(ss);
95 if (getsockname(fd, (struct sockaddr *)&ss, &slen) == -1)
96 err(1, "getsockname");
97 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
98 sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV))
99 errx(1, "getnameinfo");
100 printf("sock: %s %s\n", host, port);
101 if (fflush(stdout) != 0)
102 err(1, "fflush stdout");
103}
104
105void
106print_peername(BIO *bio)
107{
108 struct sockaddr_storage ss;
109 socklen_t slen;
110 char host[NI_MAXHOST], port[NI_MAXSERV];
111 int fd;
112
113 if (BIO_get_fd(bio, &fd) <= 0)
114 err_ssl(1, "BIO_get_fd");
115 slen = sizeof(ss);
116 if (getpeername(fd, (struct sockaddr *)&ss, &slen) == -1)
117 err(1, "getpeername");
118 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
119 sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV))
120 errx(1, "getnameinfo");
121 printf("peer: %s %s\n", host, port);
122 if (fflush(stdout) != 0)
123 err(1, "fflush stdout");
124}
125
126void
127err_ssl(int eval, const char *fmt, ...)
128{
129 va_list ap;
130
131 ERR_print_errors_fp(stderr);
132 va_start(ap, fmt);
133 verrx(eval, fmt, ap);
134 va_end(ap);
135}
136
137int
138verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
139{
140 printf("verify: %s\n", preverify_ok ? "pass" : "fail");
141 if (fflush(stdout) != 0)
142 err(1, "fflush stdout");
143
144 return preverify_ok;
145}
diff --git a/src/regress/lib/libssl/interop/util.h b/src/regress/lib/libssl/interop/util.h
deleted file mode 100644
index 7414a037d7..0000000000
--- a/src/regress/lib/libssl/interop/util.h
+++ /dev/null
@@ -1,23 +0,0 @@
1/* $OpenBSD: util.h,v 1.3 2018/11/09 06:30:41 bluhm Exp $ */
2/*
3 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18void print_version(void);
19void print_ciphers(STACK_OF(SSL_CIPHER) *);
20void print_sockname(BIO *);
21void print_peername(BIO *);
22void err_ssl(int, const char *, ...);
23int verify_callback(int, X509_STORE_CTX *);
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
deleted file mode 100644
index 7ac86ccbeb..0000000000
--- a/src/regress/lib/libssl/interop/version/Makefile
+++ /dev/null
@@ -1,103 +0,0 @@
1# $OpenBSD: Makefile,v 1.3 2020/12/17 00:51:12 bluhm Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS
5# version number. Incompatible versions must fail. Check that client
6# and server have used correct version by grepping in their session
7# print out.
8
9LIBRARIES = libressl
10.if exists(/usr/local/bin/eopenssl)
11LIBRARIES += openssl
12.endif
13.if exists(/usr/local/bin/eopenssl11)
14LIBRARIES += openssl11
15.endif
16
17VERSIONS = any TLS1 TLS1_1 TLS1_2 TLS1_3
18
19.for cver in ${VERSIONS}
20.for sver in ${VERSIONS}
21
22.if "${cver}" == any || "${sver}" == any || "${cver}" == "${sver}"
23FAIL_${cver}_${sver} =
24.else
25FAIL_${cver}_${sver} = !
26.endif
27
28.for clib in ${LIBRARIES}
29.for slib in ${LIBRARIES}
30
31.if ("${clib}" != openssl && "${slib}" != openssl) || \
32 ("${cver}" != TLS1_3 && "${sver}" != TLS1_3)
33
34.if ("${clib}" == "libressl" || "${slib}" == "libressl")
35REGRESS_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver}
36.else
37REGRESS_SLOW_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver}
38.endif
39
40run-version-client-${clib}-${cver}-server-${slib}-${sver} \
41client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \
42server-version-client-${clib}-${cver}-server-${slib}-${sver}.out: \
43 127.0.0.1.crt ../${clib}/client ../${slib}/server
44 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
45 ../${slib}/server >${@:S/^run/server/}.out \
46 -c 127.0.0.1.crt -k 127.0.0.1.key \
47 ${sver:Nany:S/^/-V /} \
48 127.0.0.1 0
49 ${FAIL_${cver}_${sver}} \
50 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
51 ../${clib}/client >${@:S/^run/client/}.out \
52 ${cver:Nany:S/^/-V /} \
53 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
54.if empty(${FAIL_${cver}_${sver}})
55 grep -q '^success$$' ${@:S/^run/server/}.out || \
56 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
57 grep -q '^success$$' ${@:S/^run/client/}.out
58.endif
59
60.if empty(${FAIL_${cver}_${sver}})
61
62.if ("${clib}" == "libressl" || "${slib}" == "libressl")
63REGRESS_TARGETS += check-version-client-${clib}-${cver}-server-${slib}-${sver}
64.else
65REGRESS_SLOW_TARGETS += check-version-client-${clib}-${cver}-server-${slib}-${sver}
66.endif
67
68check-version-client-${clib}-${cver}-server-${slib}-${sver}: \
69 client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \
70 server-version-client-${clib}-${cver}-server-${slib}-${sver}.out
71 @grep ' Protocol *: ' ${@:S/^check/client/}.out
72 @grep ' Protocol *: ' ${@:S/^check/server/}.out
73.if "${cver}" == any
74.if "${sver}" == any
75.if "${clib}" == openssl || "${slib}" == openssl
76 grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/client/}.out
77 grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/server/}.out
78.else
79 grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out
80 grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out
81.endif
82.else
83 grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
84 ${@:S/^check/client/}.out
85 grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
86 ${@:S/^check/server/}.out
87.endif
88.else
89 grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \
90 ${@:S/^check/client/}.out
91 grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \
92 ${@:S/^check/server/}.out
93.endif
94.endif
95
96.endif
97
98.endfor
99.endfor
100.endfor
101.endfor
102
103.include <bsd.regress.mk>
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-10 02:02:33 +0000