summaryrefslogtreecommitdiff
path: root/src/regress/lib/libssl/interop
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2025-04-14 17:32:06 +0000
committercvs2svn <admin@example.com>2025-04-14 17:32:06 +0000
commiteb8dd9dca1228af0cd132f515509051ecfabf6f6 (patch)
treeedb6da6af7e865d488dc1a29309f1e1ec226e603 /src/regress/lib/libssl/interop
parent247f0352e0ed72a4f476db9dc91f4d982bc83eb2 (diff)
downloadopenbsd-tb_20250414.tar.gz
openbsd-tb_20250414.tar.bz2
openbsd-tb_20250414.zip
This commit was manufactured by cvs2git to create tag 'tb_20250414'.tb_20250414
Diffstat (limited to 'src/regress/lib/libssl/interop')
-rw-r--r--src/regress/lib/libssl/interop/LICENSE15
-rw-r--r--src/regress/lib/libssl/interop/Makefile19
-rw-r--r--src/regress/lib/libssl/interop/Makefile.inc83
-rw-r--r--src/regress/lib/libssl/interop/README18
-rw-r--r--src/regress/lib/libssl/interop/botan/Makefile84
-rw-r--r--src/regress/lib/libssl/interop/botan/client.cpp228
-rw-r--r--src/regress/lib/libssl/interop/cert/Makefile98
-rw-r--r--src/regress/lib/libssl/interop/cipher/Makefile159
-rw-r--r--src/regress/lib/libssl/interop/client.c285
-rw-r--r--src/regress/lib/libssl/interop/libressl/Makefile34
-rw-r--r--src/regress/lib/libssl/interop/netcat/Makefile84
-rw-r--r--src/regress/lib/libssl/interop/openssl33/Makefile44
-rw-r--r--src/regress/lib/libssl/interop/openssl34/Makefile44
-rw-r--r--src/regress/lib/libssl/interop/server.c321
-rw-r--r--src/regress/lib/libssl/interop/session/Makefile43
-rw-r--r--src/regress/lib/libssl/interop/util.c145
-rw-r--r--src/regress/lib/libssl/interop/util.h23
-rw-r--r--src/regress/lib/libssl/interop/version/Makefile110
18 files changed, 0 insertions, 1837 deletions
diff --git a/src/regress/lib/libssl/interop/LICENSE b/src/regress/lib/libssl/interop/LICENSE
deleted file mode 100644
index 838e7f45cc..0000000000
--- a/src/regress/lib/libssl/interop/LICENSE
+++ /dev/null
@@ -1,15 +0,0 @@
1/*
2 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
deleted file mode 100644
index bdc67f627a..0000000000
--- a/src/regress/lib/libssl/interop/Makefile
+++ /dev/null
@@ -1,19 +0,0 @@
1# $OpenBSD: Makefile,v 1.21 2025/01/15 10:54:17 tb Exp $
2
3SUBDIR = libressl openssl33 openssl34
4
5# the above binaries must have been built before we can continue
6SUBDIR += netcat
7SUBDIR += session
8SUBDIR += botan
9
10# What is below takes a long time.
11# setting REGRESS_SKIP_SLOW to "yes" in mk.conf
12# will skip the tests that do not test libressl
13# but do things like test openssl 3.x to openssl 3.y
14SUBDIR += version
15SUBDIR += cipher
16# This takes a really long time.
17SUBDIR += cert
18
19.include <bsd.subdir.mk>
diff --git a/src/regress/lib/libssl/interop/Makefile.inc b/src/regress/lib/libssl/interop/Makefile.inc
deleted file mode 100644
index fa22fb8514..0000000000
--- a/src/regress/lib/libssl/interop/Makefile.inc
+++ /dev/null
@@ -1,83 +0,0 @@
1# $OpenBSD: Makefile.inc,v 1.10 2024/02/03 15:58:34 beck Exp $
2
3.PATH: ${.CURDIR}/..
4
5SRCS_client ?= client.c util.c
6SRCS_server ?= server.c util.c
7WARNINGS = yes
8CLEANFILES += *.out *.fstat
9
10.for p in ${PROGS}
11ldd-$p.out: $p
12 # programs must be linked with correct libraries
13 LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ldd $p >$@
14.endfor
15
16client-self.out server-self.out: run-self-client-server
17
18run-self-client-server: client server 127.0.0.1.crt
19 # check that tls client and server work together
20 LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \
21 ./server >server-self.out \
22 127.0.0.1 0
23 LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \
24 ./client >client-self.out \
25 `sed -n 's/listen sock: //p' server-self.out`
26 # wait for server to terminate
27 -sed -n 's/listen sock: //p' server-self.out | xargs nc 2>/dev/null
28 # check that the client run successfully to the end
29 grep -q '^success$$' client-self.out
30 # client must have read server greeting
31 grep -q '^<<< greeting$$' client-self.out
32 # check that the server child run successfully to the end
33 grep -q '^success$$' server-self.out
34 # server must have read client hello
35 grep -q '^<<< hello$$' server-self.out
36
37# create certificates for TLS
38
39CLEANFILES += 127.0.0.1.{crt,key} \
40 ca.{crt,key,srl} fake-ca.{crt,key} \
41 {client,server}.{req,crt,key} \
42 {dsa,ec,rsa}.{key,req,crt} \
43 dh.param
44
45127.0.0.1.crt:
46 openssl req -batch -new \
47 -subj /L=OpenBSD/O=tls-regress/OU=server/CN=${@:R}/ \
48 -nodes -newkey rsa -keyout ${@:R}.key -x509 -out $@
49
50ca.crt fake-ca.crt:
51 openssl req -batch -new \
52 -subj /L=OpenBSD/O=tls-regress/OU=ca/CN=root/ \
53 -nodes -newkey rsa -keyout ${@:R}.key -x509 -out $@
54
55client.req server.req:
56 openssl req -batch -new \
57 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
58 -nodes -newkey rsa -keyout ${@:R}.key -out $@
59
60client.crt server.crt: ca.crt ${@:R}.req
61 openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \
62 -req -in ${@:R}.req -out $@
63
64dh.param:
65 openssl dhparam -out $@ 1024
66
67dsa.key:
68 openssl dsaparam -genkey -out $@ 2048
69
70ec.key:
71 openssl ecparam -genkey -name secp256r1 -out $@
72
73rsa.key:
74 openssl genrsa -out $@ 2048
75
76dsa.req ec.req rsa.req: ${@:R}.key
77 openssl req -batch -new \
78 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
79 -nodes -key ${@:R}.key -out $@
80
81dsa.crt ec.crt rsa.crt: ca.crt ${@:R}.req
82 openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \
83 -req -in ${@:R}.req -out $@
diff --git a/src/regress/lib/libssl/interop/README b/src/regress/lib/libssl/interop/README
deleted file mode 100644
index 091e63f6fc..0000000000
--- a/src/regress/lib/libssl/interop/README
+++ /dev/null
@@ -1,18 +0,0 @@
1Test TLS interoperability between LibreSSL and OpenSSL.
2
3Implement simple SSL client and server in C. Create six binaries
4by linking them with LibreSSL or OpenSSL 1.1 or OpenSSL 3.0. This
5way API compatibility is tested.
6
7To self test each SSL library, connect client with server. Check
8that the highest available TLS version is selected. LibreSSL TLS
91.3 check has to be enabled when the feature becomes available.
10
11Connect and accept with netcat to test protocol compatibility with
12libtls. Test TLS session reuse multiple times with different library
13combinations. The cert subdir is testing all combinations of
14certificate validation. Having the three libraries, client and
15server certificates, missing or invalid CA or certificates, and
16enforcing peer certificate results in 1944 test cases. The cipher
17test establishes connections between implementations for each
18supported cipher.
diff --git a/src/regress/lib/libssl/interop/botan/Makefile b/src/regress/lib/libssl/interop/botan/Makefile
deleted file mode 100644
index 85877d4290..0000000000
--- a/src/regress/lib/libssl/interop/botan/Makefile
+++ /dev/null
@@ -1,84 +0,0 @@
1# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $
2
3.include <bsd.own.mk>
4
5.if ! exists(/usr/local/bin/botan)
6regress:
7 # install botan2 from ports for interop tests
8 @echo 'Run "pkg_add botan2" to run tests against Botan 2'
9 @echo SKIPPED
10.elif (${COMPILER_VERSION:L} != "clang" && ! exists(/usr/local/bin/eg++))
11regress:
12 # on gcc-archs install g++ from ports for botan2 interop tests
13 @echo 'Run "pkg_add g++" to run tests against Botan 2 on GCC architectures'
14 @echo SKIPPED
15.else
16
17# C++11
18.if ${COMPILER_VERSION:L} != "clang" && ${CXX} == "c++"
19CXX = /usr/local/bin/eg++
20.endif
21
22LIBRARIES = libressl
23.if exists(/usr/local/bin/eopenssl33)
24LIBRARIES += openssl33
25.endif
26.if exists(/usr/local/bin/eopenssl34)
27LIBRARIES += openssl34
28.endif
29
30PROGS = client
31SRCS_client = client.cpp
32CXXFLAGS = -I/usr/local/include/botan-2 -Wall
33LDFLAGS = -L/usr/local/lib
34LDADD = -lbotan-2
35DPADD = /usr/local/lib/libbotan-2.a
36
37.for lib in ${LIBRARIES}
38
39REGRESS_TARGETS += run-client-botan-server-${lib}
40
41run-client-botan-server-${lib}: client server.crt
42 LD_LIBRARY_PATH=/usr/local/lib/e${lib} \
43 ../${lib}/server >server-${lib}.out \
44 -c server.crt -k server.key \
45 127.0.0.1 0
46 ./client >client-botan.out \
47 -C ca.crt \
48 127.0.0.1 \
49 `sed -n 's/listen sock: 127.0.0.1 //p' server-${lib}.out`
50 # check that the server child run successfully to the end
51 grep -q '^success$$' server-${lib}.out || \
52 { sleep 1; grep -q '^success$$' server-${lib}.out; }
53 # server must have read client hello
54 grep -q '^<<< hello$$' server-${lib}.out
55 # check that the client run successfully to the end
56 grep -q '^success$$' client-botan.out
57 # client must have read server greeting
58 grep -q '^<<< greeting$$' client-botan.out
59 # currently botan supports TLS 1.2, adapt later
60 grep -q ' Protocol *: TLSv1.2$$' server-${lib}.out
61
62.endfor
63
64server.key ca.key:
65 /usr/local/bin/botan keygen >$@.tmp
66 mv $@.tmp $@
67
68ca.crt: ${@:R}.key
69 /usr/local/bin/botan gen_self_signed ${@:R}.key ${@:R} >$@.tmp \
70 --organization=tls-regress --ca
71 mv $@.tmp $@
72
73server.req: ${@:R}.key
74 /usr/local/bin/botan gen_pkcs10 ${@:R}.key localhost >$@.tmp \
75 --organization=tls-regress --dns=127.0.0.1
76 mv $@.tmp $@
77
78server.crt: ca.crt ${@:R}.req
79 /usr/local/bin/botan sign_cert ca.crt ca.key ${@:R}.req >$@.tmp
80 mv $@.tmp $@
81
82.endif # exists(/usr/local/bin/botan)
83
84.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/botan/client.cpp b/src/regress/lib/libssl/interop/botan/client.cpp
deleted file mode 100644
index 2352d7bba2..0000000000
--- a/src/regress/lib/libssl/interop/botan/client.cpp
+++ /dev/null
@@ -1,228 +0,0 @@
1/* $OpenBSD: client.cpp,v 1.1 2020/09/15 01:45:16 bluhm Exp $ */
2/*
3 * Copyright (c) 2019-2020 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <unistd.h>
24
25#include <botan/tls_client.h>
26#include <botan/tls_callbacks.h>
27#include <botan/tls_session_manager.h>
28#include <botan/tls_policy.h>
29#include <botan/auto_rng.h>
30#include <botan/certstor.h>
31
32#include <iostream>
33#include <string>
34using namespace std;
35
36class Callbacks : public Botan::TLS::Callbacks {
37public:
38 Callbacks(int socket) :
39 m_socket(socket)
40 {}
41
42 void print_sockname()
43 {
44 struct sockaddr_storage ss;
45 char host[NI_MAXHOST], port[NI_MAXSERV];
46 socklen_t slen;
47
48 slen = sizeof(ss);
49 if (getsockname(m_socket, (struct sockaddr *)&ss, &slen) == -1)
50 err(1, "getsockname");
51 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
52 sizeof(host), port, sizeof(port),
53 NI_NUMERICHOST | NI_NUMERICSERV))
54 errx(1, "getnameinfo");
55 cout <<"sock: " <<host <<" " <<port <<endl <<flush;
56 }
57
58 void print_peername()
59 {
60 struct sockaddr_storage ss;
61 char host[NI_MAXHOST], port[NI_MAXSERV];
62 socklen_t slen;
63
64 slen = sizeof(ss);
65 if (getpeername(m_socket, (struct sockaddr *)&ss, &slen) == -1)
66 err(1, "getpeername");
67 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
68 sizeof(host), port, sizeof(port),
69 NI_NUMERICHOST | NI_NUMERICSERV))
70 errx(1, "getnameinfo");
71 cout <<"peer: " <<host <<" " <<port <<endl <<flush;
72 }
73
74 void tls_emit_data(const uint8_t data[], size_t size) override
75 {
76 size_t off = 0, len = size;
77
78 while (len > 0) {
79 ssize_t n;
80
81 n = send(m_socket, data + off, len, 0);
82 if (n < 0)
83 err(1, "send");
84 off += n;
85 len -= n;
86 }
87 }
88
89 void tls_record_received(uint64_t seq_no, const uint8_t data[],
90 size_t size) override
91 {
92 cout <<"<<< " <<string((const char *)data, size) <<flush;
93
94 string str("hello\n");
95 cout <<">>> " <<str <<flush;
96 m_channel->send(str);
97 m_channel->close();
98 }
99
100 void tls_alert(Botan::TLS::Alert alert) override
101 {
102 errx(1, "alert: %s", alert.type_string().c_str());
103 }
104
105 bool tls_session_established(const Botan::TLS::Session& session)
106 override
107 {
108 cout <<"established" <<endl <<flush;
109 return false;
110 }
111
112 void set_channel(Botan::TLS::Channel &channel) {
113 m_channel = &channel;
114 }
115
116protected:
117 int m_socket = -1;
118 Botan::TLS::Channel *m_channel = nullptr;
119};
120
121class Credentials : public Botan::Credentials_Manager {
122public:
123 std::vector<Botan::Certificate_Store*> trusted_certificate_authorities(
124 const std::string &type, const std::string &context)
125 override
126 {
127 std::vector<Botan::Certificate_Store*> cs { &m_ca };
128 return cs;
129 }
130
131 void add_certificate_file(const std::string &file) {
132 Botan::X509_Certificate cert(file);
133 m_ca.add_certificate(cert);
134 }
135private:
136 Botan::Certificate_Store_In_Memory m_ca;
137};
138
139class Policy : public Botan::TLS::Strict_Policy {
140public:
141 bool require_cert_revocation_info() const override {
142 return false;
143 }
144};
145
146void __dead
147usage(void)
148{
149 fprintf(stderr, "usage: client [-C CA] host port\n");
150 exit(2);
151}
152
153int
154main(int argc, char *argv[])
155{
156 struct addrinfo hints, *res;
157 int ch, s, error;
158 char buf[256];
159 char *cafile = NULL;
160 char *host, *port;
161
162 while ((ch = getopt(argc, argv, "C:")) != -1) {
163 switch (ch) {
164 case 'C':
165 cafile = optarg;
166 break;
167 default:
168 usage();
169 }
170 }
171 argc -= optind;
172 argv += optind;
173 if (argc == 2) {
174 host = argv[0];
175 port = argv[1];
176 } else {
177 usage();
178 }
179
180 memset(&hints, 0, sizeof(hints));
181 hints.ai_family = AF_INET;
182 hints.ai_socktype = SOCK_STREAM;
183 error = getaddrinfo(host, port, &hints, &res);
184 if (error)
185 errx(1, "getaddrinfo: %s", gai_strerror(error));
186 if (res == NULL)
187 errx(1, "getaddrinfo empty");
188 s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
189 if (s == -1)
190 err(1, "socket");
191 if (connect(s, res->ai_addr, res->ai_addrlen) == -1)
192 err(1, "connect");
193 freeaddrinfo(res);
194
195 {
196 Callbacks callbacks(s);
197 Botan::AutoSeeded_RNG rng;
198 Botan::TLS::Session_Manager_In_Memory session_mgr(rng);
199 Credentials creds;
200 if (cafile != NULL)
201 creds.add_certificate_file(cafile);
202 Policy policy;
203
204 callbacks.print_sockname();
205 callbacks.print_peername();
206 Botan::TLS::Client client(callbacks, session_mgr, creds,
207 policy, rng);
208 callbacks.set_channel(client);
209
210 while (!client.is_closed()) {
211 ssize_t n;
212
213 n = recv(s, buf, sizeof(buf), 0);
214 if (n < 0)
215 err(1, "recv");
216 if (n == 0)
217 errx(1, "eof");
218 client.received_data((uint8_t *)&buf, n);
219 }
220 }
221
222 if (close(s) == -1)
223 err(1, "close");
224
225 cout <<"success" <<endl;
226
227 return 0;
228}
diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile
deleted file mode 100644
index 74c63c86a8..0000000000
--- a/src/regress/lib/libssl/interop/cert/Makefile
+++ /dev/null
@@ -1,98 +0,0 @@
1# $OpenBSD: Makefile,v 1.14 2025/01/15 10:54:17 tb Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 3.x. Create client and server certificates
5# that are signed by a CA and not signed by a fake CA. Try all
6# combinations with, without, and with wrong CA for client and server
7# and check the result of certificate verification.
8
9LIBRARIES = libressl
10.if exists(/usr/local/bin/eopenssl33)
11LIBRARIES += openssl33
12.endif
13.if exists(/usr/local/bin/eopenssl34)
14LIBRARIES += openssl34
15.endif
16
17.for cca in noca ca fakeca
18.for sca in noca ca fakeca
19.for ccert in nocert cert
20.for scert in nocert cert
21.for cv in noverify verify
22.for sv in noverify verify certverify
23
24# remember when certificate verification should fail
25.if (("${cv}" == verify && "${cca}" == ca && "${scert}" == cert) || \
26 "${cv}" == noverify) && \
27 (("${sv}" == verify && "${ccert}" == nocert) || \
28 ("${sv}" == verify && "${sca}" == ca && "${ccert}" == cert) || \
29 ("${sv}" == certverify && "${sca}" == ca && "${ccert}" == cert) || \
30 "${sv}" == noverify)
31FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv} =
32.else
33FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv} = !
34.endif
35
36.for clib in ${LIBRARIES}
37.for slib in ${LIBRARIES}
38
39.if ("${clib}" == "libressl" || "${slib}" == "libressl")
40REGRESS_TARGETS += run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}
41.else
42# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow.
43SLOW_TARGETS += run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}
44.endif
45
46run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}: \
47 127.0.0.1.crt ca.crt fake-ca.crt client.crt server.crt \
48 ../${clib}/client ../${slib}/server
49 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
50 ../${slib}/server >${@:S/^run/server/}.out \
51 ${sca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \
52 ${scert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \
53 ${sv:S/^noverify//:S/^verify/-v/:S/^certverify/-vv/} \
54 127.0.0.1 0
55 ${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}} \
56 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
57 ../${clib}/client >${@:S/^run/client/}.out \
58 ${cca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \
59 ${ccert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \
60 ${cv:S/^noverify//:S/^verify/-v/} \
61 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
62.if empty(${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}})
63 grep '^success$$' ${@:S/^run/server/}.out || \
64 { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; }
65 grep '^success$$' ${@:S/^run/client/}.out
66.elif ! ("${sv}" == certverify && "${ccert}" == nocert) || \
67 ("${cv}" == verify && "${scert}" != cert)
68 grep '^verify: fail' ${@:S/^run/client/}.out ${@:S/^run/server/}.out
69.endif
70
71.endfor
72.endfor
73.endfor
74.endfor
75.endfor
76.endfor
77.endfor
78.endfor
79
80.include <bsd.own.mk>
81REGRESS_SKIP_SLOW ?= no
82.if ${REGRESS_SKIP_SLOW:L} != "yes"
83REGRESS_TARGETS += ${SLOW_TARGETS}
84.endif
85
86REGRESS_TARGETS += run-bob
87run-bob:
88 @echo Bob, be happy! Tests finished.
89
90# argument list too long for a single rm *
91
92clean: _SUBDIRUSE
93 rm -f client-*.out
94 rm -f server-*.out
95 rm -f a.out [Ee]rrs mklog *.core y.tab.h \
96 ${PROG} ${PROGS} ${OBJS} ${_LEXINTM} ${_YACCINTM} ${CLEANFILES}
97
98.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
deleted file mode 100644
index fa7e25f9ee..0000000000
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ /dev/null
@@ -1,159 +0,0 @@
1# $OpenBSD: Makefile,v 1.17 2025/01/15 10:54:17 tb Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.1 or 3.0. Create lists of supported ciphers
5# and pin client and server to one of the ciphers. Use server
6# certificate with compatible type. Check that client and server
7# have used correct cipher by grepping in their session print out.
8
9LIBRARIES = libressl
10.if exists(/usr/local/bin/eopenssl33)
11LIBRARIES += openssl33
12.endif
13.if exists(/usr/local/bin/eopenssl34)
14LIBRARIES += openssl34
15.endif
16
17CLEANFILES = *.tmp *.ciphers ciphers.mk
18
19.for clib in ${LIBRARIES}
20client-${clib}.ciphers:
21 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
22 ../${clib}/client -l ALL -L >$@.tmp
23 sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
24 rm $@.tmp
25.endfor
26.for slib in ${LIBRARIES}
27server-${slib}.ciphers: 127.0.0.1.crt dsa.crt ec.crt rsa.crt
28 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
29 ../${slib}/server -l ALL -L >$@.tmp
30 sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
31 rm $@.tmp
32.endfor
33
34.for clib in ${LIBRARIES}
35.for slib in ${LIBRARIES}
36ciphers.mk: client-${clib}-server-${slib}.ciphers
37client-${clib}-server-${slib}.ciphers: \
38 client-${clib}.ciphers server-${slib}.ciphers client-libressl.ciphers
39 # get ciphers shared between client and server
40 sort client-${clib}.ciphers server-${slib}.ciphers >$@.tmp
41 uniq -d <$@.tmp >$@
42 # we are only interested in ciphers supported by libressl
43 sort $@ client-libressl.ciphers >$@.tmp
44. if "${clib}" == "openssl33" || "${slib}" == "openssl33" || \
45 "${clib}" == "openssl34" || "${slib}" == "openssl34"
46 # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
47 sed -i '/^TLS_/d' $@.tmp
48. endif
49 uniq -d <$@.tmp >$@
50 rm $@.tmp
51.endfor
52.endfor
53
54ciphers.mk:
55 rm -f $@ $@.tmp
56.for clib in ${LIBRARIES}
57.for slib in ${LIBRARIES}
58 echo 'CIPHERS_${clib}_${slib} =' >>$@.tmp \
59 `cat client-${clib}-server-${slib}.ciphers`
60.endfor
61.endfor
62 mv $@.tmp $@
63
64# hack to convert generated lists into usable make variables
65.if exists(ciphers.mk)
66.include "ciphers.mk"
67.else
68regress: ciphers.mk
69 ${MAKE} -C ${.CURDIR} regress
70.endif
71
72LEVEL_libressl =
73LEVEL_openssl33 = ,@SECLEVEL=0
74LEVEL_openssl34 = ,@SECLEVEL=0
75
76.for clib in ${LIBRARIES}
77.for slib in ${LIBRARIES}
78.for cipher in ${CIPHERS_${clib}_${slib}}
79
80.if "${cipher:M*-DSS-*}" != ""
81TYPE_${cipher} = dsa
82.elif "${cipher:M*-ECDSA-*}" != ""
83TYPE_${cipher} = ec
84.elif "${cipher:M*-RSA-*}" != ""
85TYPE_${cipher} = rsa
86.else
87TYPE_${cipher} = 127.0.0.1
88.endif
89
90DHPARAM_${cipher}_${slib} =
91
92.if ("${clib}" == "libressl" || "${slib}" == "libressl")
93REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib}
94.else
95# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow.
96SLOW_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib}
97.endif
98run-cipher-${cipher}-client-${clib}-server-${slib} \
99client-cipher-${cipher}-client-${clib}-server-${slib}.out \
100server-cipher-${cipher}-client-${clib}-server-${slib}.out: dh.param \
101 127.0.0.1.crt ${TYPE_${cipher}}.crt ../${clib}/client ../${slib}/server
102 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
103 ../${slib}/server >${@:S/^run/server/}.out \
104 -c ${TYPE_${cipher}}.crt -k ${TYPE_${cipher}}.key \
105 -l ${cipher}${LEVEL_${slib}} ${DHPARAM_${cipher}_${slib}} \
106 127.0.0.1 0
107 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
108 ../${clib}/client >${@:S/^run/client/}.out \
109 -l ${cipher}${LEVEL_${clib}} \
110 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
111 grep -q '^success$$' ${@:S/^run/server/}.out || \
112 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
113 grep -q '^success$$' ${@:S/^run/client/}.out
114
115.if ("${clib}" == "libressl" || "${slib}" == "libressl")
116REGRESS_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib}
117.else
118# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow.
119SLOW_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib}
120.endif
121check-cipher-${cipher}-client-${clib}-server-${slib}: \
122 client-cipher-${cipher}-client-${clib}-server-${slib}.out \
123 server-cipher-${cipher}-client-${clib}-server-${slib}.out
124.if "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3
125 # client and server 1.3 capable, not TLS 1.3 cipher
126. if "${clib}" == "libressl"
127 # libressl client may prefer chacha-poly if aes-ni is not supported
128 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/client/}.out
129. else
130 # openssl 1.1 generic client cipher
131 grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/client/}.out
132. endif
133. if "${clib}" == "libressl"
134 # libressl client may prefer chacha-poly if aes-ni is not supported
135. if "${slib}" == "openssl33" || "${slib}" == "openssl34"
136 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
137. else
138 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
139. endif
140. else
141 # generic server cipher
142 grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/server/}.out
143. endif
144.else
145 grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out
146 grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
147.endif
148
149.endfor
150.endfor
151.endfor
152
153.include <bsd.own.mk>
154REGRESS_SKIP_SLOW ?= no
155.if ${REGRESS_SKIP_SLOW:L} != "yes"
156REGRESS_TARGETS += ${SLOW_TARGETS}
157.endif
158
159.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c
deleted file mode 100644
index 31a960381e..0000000000
--- a/src/regress/lib/libssl/interop/client.c
+++ /dev/null
@@ -1,285 +0,0 @@
1/* $OpenBSD: client.c,v 1.11 2022/07/07 13:12:57 tb Exp $ */
2/*
3 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <stdio.h>
24#include <string.h>
25#include <unistd.h>
26
27#include <openssl/err.h>
28#include <openssl/ssl.h>
29
30#include "util.h"
31
32void __dead usage(void);
33
34void __dead
35usage(void)
36{
37 fprintf(stderr, "usage: client [-Lsv] [-C CA] [-c crt -k key] "
38 "[-l ciphers] [-V version] host port\n");
39 exit(2);
40}
41
42int
43main(int argc, char *argv[])
44{
45 const SSL_METHOD *method;
46 SSL_CTX *ctx;
47 SSL *ssl;
48 BIO *bio;
49 SSL_SESSION *session = NULL;
50 int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
51 int version = 0;
52 char buf[256];
53 char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
54 char *host_port, *host = "127.0.0.1", *port = "0";
55
56 while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) {
57 switch (ch) {
58 case 'C':
59 ca = optarg;
60 break;
61 case 'c':
62 crt = optarg;
63 break;
64 case 'k':
65 key = optarg;
66 break;
67 case 'L':
68 listciphers = 1;
69 break;
70 case 'l':
71 ciphers = optarg;
72 break;
73 case 's':
74 /* multiple reueses are possible */
75 sessionreuse++;
76 break;
77 case 'V':
78 if (strcmp(optarg, "TLS1") == 0) {
79 version = TLS1_VERSION;
80 } else if (strcmp(optarg, "TLS1_1") == 0) {
81 version = TLS1_1_VERSION;
82 } else if (strcmp(optarg, "TLS1_2") == 0) {
83 version = TLS1_2_VERSION;
84#ifdef TLS1_3_VERSION
85 } else if (strcmp(optarg, "TLS1_3") == 0) {
86 version = TLS1_3_VERSION;
87#endif
88 } else {
89 errx(1, "unknown protocol version: %s", optarg);
90 }
91 break;
92 case 'v':
93 verify = 1;
94 break;
95 default:
96 usage();
97 }
98 }
99 argc -= optind;
100 argv += optind;
101 if (argc == 2) {
102 host = argv[0];
103 port = argv[1];
104 } else if (!listciphers) {
105 usage();
106 }
107 if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
108 host, port) == -1)
109 err(1, "asprintf host port");
110 if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL))
111 errx(1, "certificate and private key must be used together");
112
113 SSL_library_init();
114 SSL_load_error_strings();
115 print_version();
116
117 /* setup method and context */
118#if OPENSSL_VERSION_NUMBER >= 0x1010000f
119 method = TLS_client_method();
120 if (method == NULL)
121 err_ssl(1, "TLS_client_method");
122#else
123 switch (version) {
124 case TLS1_VERSION:
125 method = TLSv1_client_method();
126 break;
127 case TLS1_1_VERSION:
128 method = TLSv1_1_client_method();
129 break;
130 case TLS1_2_VERSION:
131 method = TLSv1_2_client_method();
132 break;
133#ifdef TLS1_3_VERSION
134 case TLS1_3_VERSION:
135 err(1, "TLS1_3 not supported");
136#endif
137 default:
138 method = SSLv23_client_method();
139 break;
140 }
141 if (method == NULL)
142 err_ssl(1, "SSLv23_client_method");
143#endif
144 ctx = SSL_CTX_new(method);
145 if (ctx == NULL)
146 err_ssl(1, "SSL_CTX_new");
147
148#if OPENSSL_VERSION_NUMBER >= 0x1010000f
149 if (version) {
150 if (SSL_CTX_set_min_proto_version(ctx, version) != 1)
151 err_ssl(1, "SSL_CTX_set_min_proto_version");
152 if (SSL_CTX_set_max_proto_version(ctx, version) != 1)
153 err_ssl(1, "SSL_CTX_set_max_proto_version");
154 }
155#endif
156
157 /* load client certificate */
158 if (crt != NULL) {
159 if (SSL_CTX_use_certificate_file(ctx, crt,
160 SSL_FILETYPE_PEM) <= 0)
161 err_ssl(1, "SSL_CTX_use_certificate_file");
162 if (SSL_CTX_use_PrivateKey_file(ctx, key,
163 SSL_FILETYPE_PEM) <= 0)
164 err_ssl(1, "SSL_CTX_use_PrivateKey_file");
165 if (SSL_CTX_check_private_key(ctx) <= 0)
166 err_ssl(1, "SSL_CTX_check_private_key");
167 }
168
169 /* verify server certificate */
170 if (ca != NULL) {
171 if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0)
172 err_ssl(1, "SSL_CTX_load_verify_locations");
173 }
174 SSL_CTX_set_verify(ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
175 verify_callback);
176
177 if (sessionreuse) {
178 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
179 }
180
181 if (ciphers) {
182 if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0)
183 err_ssl(1, "SSL_CTX_set_cipher_list");
184 }
185
186 if (listciphers) {
187 STACK_OF(SSL_CIPHER) *supported_ciphers;
188
189#if OPENSSL_VERSION_NUMBER < 0x1010000f
190#define SSL_get1_supported_ciphers SSL_get_ciphers
191#endif
192 ssl = SSL_new(ctx);
193 if (ssl == NULL)
194 err_ssl(1, "SSL_new");
195 supported_ciphers = SSL_get1_supported_ciphers(ssl);
196 if (supported_ciphers == NULL)
197 err_ssl(1, "SSL_get1_supported_ciphers");
198 print_ciphers(supported_ciphers);
199
200#if OPENSSL_VERSION_NUMBER >= 0x1010000f
201 sk_SSL_CIPHER_free(supported_ciphers);
202#endif
203 return 0;
204 }
205
206 do {
207 /* setup bio for socket operations */
208 bio = BIO_new_connect(host_port);
209 if (bio == NULL)
210 err_ssl(1, "BIO_new_connect");
211
212 /* connect */
213 if (BIO_do_connect(bio) <= 0)
214 err_ssl(1, "BIO_do_connect");
215 printf("connect ");
216 print_sockname(bio);
217 printf("connect ");
218 print_peername(bio);
219
220 /* do ssl client handshake */
221 ssl = SSL_new(ctx);
222 if (ssl == NULL)
223 err_ssl(1, "SSL_new");
224 SSL_set_bio(ssl, bio, bio);
225 /* resuse session if possible */
226 if (session != NULL) {
227 if (SSL_set_session(ssl, session) <= 0)
228 err_ssl(1, "SSL_set_session");
229 }
230 if ((error = SSL_connect(ssl)) <= 0)
231 err_ssl(1, "SSL_connect %d", error);
232 printf("session %d: %s\n", sessionreuse,
233 SSL_session_reused(ssl) ? "reuse" : "new");
234 if (fflush(stdout) != 0)
235 err(1, "fflush stdout");
236
237 /* print session statistics */
238 if (sessionreuse) {
239 session = SSL_get1_session(ssl);
240 if (session == NULL)
241 err_ssl(1, "SSL1_get_session");
242 } else {
243 session = SSL_get_session(ssl);
244 if (session == NULL)
245 err_ssl(1, "SSL_get_session");
246 }
247 if (SSL_SESSION_print_fp(stdout, session) <= 0)
248 err_ssl(1, "SSL_SESSION_print_fp");
249
250 /* read server greeting and write client hello over TLS */
251 if ((error = SSL_read(ssl, buf, 9)) <= 0)
252 err_ssl(1, "SSL_read %d", error);
253 if (error != 9)
254 errx(1, "read not 9 bytes greeting: %d", error);
255 buf[9] = '\0';
256 printf("<<< %s", buf);
257 if (fflush(stdout) != 0)
258 err(1, "fflush stdout");
259 strlcpy(buf, "hello\n", sizeof(buf));
260 printf(">>> %s", buf);
261 if (fflush(stdout) != 0)
262 err(1, "fflush stdout");
263 if ((error = SSL_write(ssl, buf, 6)) <= 0)
264 err_ssl(1, "SSL_write %d", error);
265 if (error != 6)
266 errx(1, "write not 6 bytes hello: %d", error);
267
268 /* shutdown connection */
269 if ((error = SSL_shutdown(ssl)) < 0)
270 err_ssl(1, "SSL_shutdown unidirectional %d", error);
271 if (error <= 0) {
272 if ((error = SSL_shutdown(ssl)) <= 0)
273 err_ssl(1, "SSL_shutdown bidirectional %d",
274 error);
275 }
276
277 SSL_free(ssl);
278 } while (sessionreuse--);
279
280 SSL_CTX_free(ctx);
281
282 printf("success\n");
283
284 return 0;
285}
diff --git a/src/regress/lib/libssl/interop/libressl/Makefile b/src/regress/lib/libssl/interop/libressl/Makefile
deleted file mode 100644
index d8e20ca122..0000000000
--- a/src/regress/lib/libssl/interop/libressl/Makefile
+++ /dev/null
@@ -1,34 +0,0 @@
1# $OpenBSD: Makefile,v 1.9 2020/12/25 10:50:08 tb Exp $
2
3PROGS = client server
4CFLAGS += -DLIBRESSL_HAS_TLS1_3
5CPPFLAGS +=
6LDFLAGS +=
7LDADD += -lssl -lcrypto
8DPADD += ${LIBSSL} ${LIBCRYPTO}
9LD_LIBRARY_PATH =
10REGRESS_TARGETS = run-self-client-server
11.for p in ${PROGS}
12REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
13.endfor
14
15.for p in ${PROGS}
16
17run-ldd-$p: ldd-$p.out
18 # check that $p is linked with LibreSSL
19 grep -q /usr/lib/libcrypto.so ldd-$p.out
20 grep -q /usr/lib/libssl.so ldd-$p.out
21 # check that $p is not linked with OpenSSL
22 ! grep /usr/local/lib/ ldd-$p.out
23
24run-version-$p: $p-self.out
25 # check that runtime version is LibreSSL
26 grep 'SSLEAY_VERSION: LibreSSL' $p-self.out
27
28run-protocol-$p: $p-self.out
29 # check that LibreSSL protocol version is TLS 1.3
30 grep 'Protocol *: TLSv1.3' $p-self.out
31
32.endfor
33
34.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/netcat/Makefile b/src/regress/lib/libssl/interop/netcat/Makefile
deleted file mode 100644
index 3b8e3f95be..0000000000
--- a/src/regress/lib/libssl/interop/netcat/Makefile
+++ /dev/null
@@ -1,84 +0,0 @@
1# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $
2
3LIBRARIES = libressl
4.if exists(/usr/local/bin/eopenssl33)
5LIBRARIES += openssl33
6.endif
7.if exists(/usr/local/bin/eopenssl34)
8LIBRARIES += openssl34
9.endif
10
11# run netcat server and connect with test client
12
13.for clib in ${LIBRARIES}
14
15REGRESS_TARGETS += run-netcat-client-${clib}-server-nc
16REGRESS_TARGETS += run-protocol-client-${clib}
17
18run-netcat-client-${clib}-server-nc: ../${clib}/client 127.0.0.1.crt
19 echo "greeting" | \
20 nc >${@:S/^run/server/}.out \
21 -l -c -C 127.0.0.1.crt -K 127.0.0.1.key \
22 127.0.0.1 0 & \
23 for i in `jot 1000`; do fstat -p $$! >netcat.fstat; \
24 grep -q ' stream tcp .*:[1-9][0-9]*$$' netcat.fstat && \
25 exit 0; done; exit 1
26 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
27 ../${clib}/client >${@:S/^run/client/}.out \
28 `sed -n 's/.* stream tcp .*:/127.0.0.1 /p' netcat.fstat`
29 # check that the client run successfully to the end
30 grep -q '^success$$' ${@:S/^run/client/}.out
31 # client must have read server greeting
32 grep -q '^<<< greeting$$' ${@:S/^run/client/}.out
33 # netstat server must have read client hello
34 grep -q '^hello$$' ${@:S/^run/server/}.out
35
36.endfor
37
38# run test server and connect with netcat client
39
40.for slib in ${LIBRARIES}
41
42REGRESS_TARGETS += run-netcat-client-nc-server-${slib}
43
44run-netcat-client-nc-server-${slib}: ../${slib}/server 127.0.0.1.crt
45 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
46 ../${slib}/server >${@:S/^run/server/}.out \
47 127.0.0.1 0
48 echo "hello" | \
49 nc >${@:S/^run/client/}.out \
50 -c -R 127.0.0.1.crt \
51 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
52 # check that the server child run successfully to the end
53 grep -q '^success$$' ${@:S/^run/server/}.out || \
54 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
55 # server must have read client hello
56 grep -q '^<<< hello$$' ${@:S/^run/server/}.out
57 # client must have read server greeting
58 grep -q '^greeting$$' ${@:S/^run/client/}.out
59
60.endfor
61
62# check the TLS protocol version in client and server logs
63
64.for clib in ${LIBRARIES}
65
66REGRESS_TARGETS += run-protocol-client-${clib}
67
68run-protocol-client-${clib}: client-netcat-client-${clib}-server-nc.out
69 # check that LibTLS protocol version is TLS 1.2 or TLS 1.3
70 grep 'Protocol *: TLSv1.[23]' client-netcat-client-${clib}-server-nc.out
71
72.endfor
73
74.for slib in ${LIBRARIES}
75
76REGRESS_TARGETS += run-protocol-server-${slib}
77
78run-protocol-server-${slib}: server-netcat-client-nc-server-${slib}.out
79 # check that LibTLS protocol version is TLS 1.2 or TLS 1.3
80 grep 'Protocol *: TLSv1.[23]' server-netcat-client-nc-server-${slib}.out
81
82.endfor
83
84.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl33/Makefile b/src/regress/lib/libssl/interop/openssl33/Makefile
deleted file mode 100644
index eff61704d0..0000000000
--- a/src/regress/lib/libssl/interop/openssl33/Makefile
+++ /dev/null
@@ -1,44 +0,0 @@
1# $OpenBSD: Makefile,v 1.1 2025/01/15 10:54:17 tb Exp $
2
3.if ! exists(/usr/local/bin/eopenssl33)
4regress:
5 # install openssl-3.3 from ports for interop tests
6 @echo 'Run "pkg_add openssl--%3.3" to run tests against OpenSSL 3.3'
7 @echo SKIPPED
8.else
9
10PROGS = client server
11CFLAGS += -DOPENSSL_SUPPRESS_DEPRECATED
12CPPFLAGS = -I /usr/local/include/eopenssl33
13LDFLAGS = -L /usr/local/lib/eopenssl33
14LDADD = -lssl -lcrypto
15DPADD = /usr/local/lib/eopenssl33/libssl.a \
16 /usr/local/lib/eopenssl33/libcrypto.a
17LD_LIBRARY_PATH = /usr/local/lib/eopenssl33
18REGRESS_TARGETS = run-self-client-server
19.for p in ${PROGS}
20REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
21.endfor
22
23.for p in ${PROGS}
24
25run-ldd-$p: ldd-$p.out
26 # check that $p is linked with OpenSSL 3.3
27 grep -q /usr/local/lib/eopenssl33/libcrypto.so ldd-$p.out
28 grep -q /usr/local/lib/eopenssl33/libssl.so ldd-$p.out
29 # check that $p is not linked with LibreSSL
30 ! grep -v libc.so ldd-$p.out | grep /usr/lib/
31
32run-version-$p: $p-self.out
33 # check that runtime version is OpenSSL 3.3
34 grep 'SSLEAY_VERSION: OpenSSL 3.3' $p-self.out
35
36run-protocol-$p: $p-self.out
37 # check that OpenSSL 3.3 protocol version is TLS 1.3
38 grep 'Protocol *: TLSv1.3' $p-self.out
39
40.endfor
41
42.endif # exists(/usr/local/bin/eopenssl33)
43
44.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl34/Makefile b/src/regress/lib/libssl/interop/openssl34/Makefile
deleted file mode 100644
index 72246bb621..0000000000
--- a/src/regress/lib/libssl/interop/openssl34/Makefile
+++ /dev/null
@@ -1,44 +0,0 @@
1# $OpenBSD: Makefile,v 1.1 2025/01/15 10:54:17 tb Exp $
2
3.if ! exists(/usr/local/bin/eopenssl34)
4regress:
5 # install openssl-3.4 from ports for interop tests
6 @echo 'Run "pkg_add openssl--%3.4" to run tests against OpenSSL 3.4'
7 @echo SKIPPED
8.else
9
10PROGS = client server
11CFLAGS += -DOPENSSL_SUPPRESS_DEPRECATED
12CPPFLAGS = -I /usr/local/include/eopenssl34
13LDFLAGS = -L /usr/local/lib/eopenssl34
14LDADD = -lssl -lcrypto
15DPADD = /usr/local/lib/eopenssl34/libssl.a \
16 /usr/local/lib/eopenssl34/libcrypto.a
17LD_LIBRARY_PATH = /usr/local/lib/eopenssl34
18REGRESS_TARGETS = run-self-client-server
19.for p in ${PROGS}
20REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
21.endfor
22
23.for p in ${PROGS}
24
25run-ldd-$p: ldd-$p.out
26 # check that $p is linked with OpenSSL 3.4
27 grep -q /usr/local/lib/eopenssl34/libcrypto.so ldd-$p.out
28 grep -q /usr/local/lib/eopenssl34/libssl.so ldd-$p.out
29 # check that $p is not linked with LibreSSL
30 ! grep -v libc.so ldd-$p.out | grep /usr/lib/
31
32run-version-$p: $p-self.out
33 # check that runtime version is OpenSSL 3.4
34 grep 'SSLEAY_VERSION: OpenSSL 3.4' $p-self.out
35
36run-protocol-$p: $p-self.out
37 # check that OpenSSL 3.4 protocol version is TLS 1.3
38 grep 'Protocol *: TLSv1.3' $p-self.out
39
40.endfor
41
42.endif # exists(/usr/local/bin/eopenssl34)
43
44.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c
deleted file mode 100644
index a634adb43b..0000000000
--- a/src/regress/lib/libssl/interop/server.c
+++ /dev/null
@@ -1,321 +0,0 @@
1/* $OpenBSD: server.c,v 1.12 2023/02/01 14:39:09 tb Exp $ */
2/*
3 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <stdio.h>
24#include <stdlib.h>
25#include <string.h>
26#include <unistd.h>
27
28#include <openssl/err.h>
29#include <openssl/ssl.h>
30
31#include "util.h"
32
33void __dead usage(void);
34
35void __dead
36usage(void)
37{
38 fprintf(stderr, "usage: server [-Lsvv] [-C CA] [-c crt -k key] "
39 "[-l ciphers] [-p dhparam] [-V version] [host port]\n");
40 exit(2);
41}
42
43int
44main(int argc, char *argv[])
45{
46 const SSL_METHOD *method;
47 SSL_CTX *ctx;
48 SSL *ssl;
49 BIO *abio, *cbio;
50 SSL_SESSION *session;
51 int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
52 int version = 0;
53 char buf[256], *dhparam = NULL;
54 char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
55 char *host_port, *host = "127.0.0.1", *port = "0";
56
57 while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) {
58 switch (ch) {
59 case 'C':
60 ca = optarg;
61 break;
62 case 'c':
63 crt = optarg;
64 break;
65 case 'k':
66 key = optarg;
67 break;
68 case 'L':
69 listciphers = 1;
70 break;
71 case 'l':
72 ciphers = optarg;
73 break;
74 case 'p':
75 dhparam = optarg;
76 break;
77 case 's':
78 /* multiple reueses are possible */
79 sessionreuse++;
80 break;
81 case 'V':
82 if (strcmp(optarg, "TLS1") == 0) {
83 version = TLS1_VERSION;
84 } else if (strcmp(optarg, "TLS1_1") == 0) {
85 version = TLS1_1_VERSION;
86 } else if (strcmp(optarg, "TLS1_2") == 0) {
87 version = TLS1_2_VERSION;
88 } else if (strcmp(optarg, "TLS1_3") == 0) {
89 version = TLS1_3_VERSION;
90 } else {
91 errx(1, "unknown protocol version: %s", optarg);
92 }
93 break;
94 case 'v':
95 /* use twice to force client cert */
96 verify++;
97 break;
98 default:
99 usage();
100 }
101 }
102 argc -= optind;
103 argv += optind;
104 if (argc == 2) {
105 host = argv[0];
106 port = argv[1];
107 } else if (argc != 0 && !listciphers) {
108 usage();
109 }
110 if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
111 host, port) == -1)
112 err(1, "asprintf host port");
113 if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL))
114 errx(1, "certificate and private key must be used together");
115 if (crt == NULL && asprintf(&crt, "%s.crt", host) == -1)
116 err(1, "asprintf crt");
117 if (key == NULL && asprintf(&key, "%s.key", host) == -1)
118 err(1, "asprintf key");
119
120 SSL_library_init();
121 SSL_load_error_strings();
122 print_version();
123
124 /* setup method and context */
125#if OPENSSL_VERSION_NUMBER >= 0x1010000f
126 method = TLS_server_method();
127 if (method == NULL)
128 err_ssl(1, "TLS_server_method");
129#else
130 switch (version) {
131 case TLS1_VERSION:
132 method = TLSv1_server_method();
133 break;
134 case TLS1_1_VERSION:
135 method = TLSv1_1_server_method();
136 break;
137 case TLS1_2_VERSION:
138 method = TLSv1_2_server_method();
139 break;
140#ifdef TLS1_3_VERSION
141 case TLS1_3_VERSION:
142 err(1, "TLS1_3 not supported");
143#endif
144 default:
145 method = SSLv23_server_method();
146 break;
147 }
148 if (method == NULL)
149 err_ssl(1, "SSLv23_server_method");
150#endif
151 ctx = SSL_CTX_new(method);
152 if (ctx == NULL)
153 err_ssl(1, "SSL_CTX_new");
154
155#if OPENSSL_VERSION_NUMBER >= 0x1010000f
156 if (version) {
157 if (SSL_CTX_set_min_proto_version(ctx, version) != 1)
158 err_ssl(1, "SSL_CTX_set_min_proto_version");
159 if (SSL_CTX_set_max_proto_version(ctx, version) != 1)
160 err_ssl(1, "SSL_CTX_set_max_proto_version");
161 }
162#endif
163
164#if OPENSSL_VERSION_NUMBER >= 0x10100000
165 /* needed to use DHE cipher with libressl */
166 if (SSL_CTX_set_dh_auto(ctx, 1) <= 0)
167 err_ssl(1, "SSL_CTX_set_dh_auto");
168#endif
169 /* needed to use ADH, EDH, DHE cipher with openssl */
170 if (dhparam != NULL) {
171 DH *dh;
172 FILE *file;
173
174 file = fopen(dhparam, "r");
175 if (file == NULL)
176 err(1, "fopen %s", dhparam);
177 dh = PEM_read_DHparams(file, NULL, NULL, NULL);
178 if (dh == NULL)
179 err_ssl(1, "PEM_read_DHparams");
180 if (SSL_CTX_set_tmp_dh(ctx, dh) <= 0)
181 err_ssl(1, "SSL_CTX_set_tmp_dh");
182 fclose(file);
183 }
184
185 /* load server certificate */
186 if (SSL_CTX_use_certificate_file(ctx, crt, SSL_FILETYPE_PEM) <= 0)
187 err_ssl(1, "SSL_CTX_use_certificate_file");
188 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) <= 0)
189 err_ssl(1, "SSL_CTX_use_PrivateKey_file");
190 if (SSL_CTX_check_private_key(ctx) <= 0)
191 err_ssl(1, "SSL_CTX_check_private_key");
192
193 /* request client certificate and verify it */
194 if (ca != NULL) {
195 STACK_OF(X509_NAME) *x509stack;
196
197 x509stack = SSL_load_client_CA_file(ca);
198 if (x509stack == NULL)
199 err_ssl(1, "SSL_load_client_CA_file");
200 SSL_CTX_set_client_CA_list(ctx, x509stack);
201 if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0)
202 err_ssl(1, "SSL_CTX_load_verify_locations");
203 }
204 SSL_CTX_set_verify(ctx,
205 verify == 0 ? SSL_VERIFY_NONE :
206 verify == 1 ? SSL_VERIFY_PEER :
207 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
208 verify_callback);
209
210 if (sessionreuse) {
211 uint32_t context;
212
213 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
214 context = arc4random();
215 if (SSL_CTX_set_session_id_context(ctx,
216 (unsigned char *)&context, sizeof(context)) <= 0)
217 err_ssl(1, "SSL_CTX_set_session_id_context");
218 }
219
220 if (ciphers) {
221 if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0)
222 err_ssl(1, "SSL_CTX_set_cipher_list");
223 }
224
225 if (listciphers) {
226 STACK_OF(SSL_CIPHER) *supported_ciphers;
227
228 ssl = SSL_new(ctx);
229 if (ssl == NULL)
230 err_ssl(1, "SSL_new");
231 supported_ciphers = SSL_get1_supported_ciphers(ssl);
232 if (supported_ciphers == NULL)
233 err_ssl(1, "SSL_get1_supported_ciphers");
234 print_ciphers(supported_ciphers);
235
236 sk_SSL_CIPHER_free(supported_ciphers);
237 return 0;
238 }
239
240 /* setup bio for socket operations */
241 abio = BIO_new_accept(host_port);
242 if (abio == NULL)
243 err_ssl(1, "BIO_new_accept");
244
245 /* bind, listen */
246 if (BIO_do_accept(abio) <= 0)
247 err_ssl(1, "BIO_do_accept setup");
248 printf("listen ");
249 print_sockname(abio);
250
251 /* fork to background and set timeout */
252 if (daemon(1, 1) == -1)
253 err(1, "daemon");
254 alarm(10);
255
256 do {
257 /* accept connection */
258 if (BIO_do_accept(abio) <= 0)
259 err_ssl(1, "BIO_do_accept wait");
260 cbio = BIO_pop(abio);
261 printf("accept ");
262 print_sockname(cbio);
263 printf("accept ");
264 print_peername(cbio);
265
266 /* do ssl server handshake */
267 ssl = SSL_new(ctx);
268 if (ssl == NULL)
269 err_ssl(1, "SSL_new");
270 SSL_set_bio(ssl, cbio, cbio);
271 if ((error = SSL_accept(ssl)) <= 0)
272 err_ssl(1, "SSL_accept %d", error);
273 printf("session %d: %s\n", sessionreuse,
274 SSL_session_reused(ssl) ? "reuse" : "new");
275 if (fflush(stdout) != 0)
276 err(1, "fflush stdout");
277
278
279 /* print session statistics */
280 session = SSL_get_session(ssl);
281 if (session == NULL)
282 err_ssl(1, "SSL_get_session");
283 if (SSL_SESSION_print_fp(stdout, session) <= 0)
284 err_ssl(1, "SSL_SESSION_print_fp");
285
286 /* write server greeting and read client hello over TLS */
287 strlcpy(buf, "greeting\n", sizeof(buf));
288 printf(">>> %s", buf);
289 if (fflush(stdout) != 0)
290 err(1, "fflush stdout");
291 if ((error = SSL_write(ssl, buf, 9)) <= 0)
292 err_ssl(1, "SSL_write %d", error);
293 if (error != 9)
294 errx(1, "write not 9 bytes greeting: %d", error);
295 if ((error = SSL_read(ssl, buf, 6)) <= 0)
296 err_ssl(1, "SSL_read %d", error);
297 if (error != 6)
298 errx(1, "read not 6 bytes hello: %d", error);
299 buf[6] = '\0';
300 printf("<<< %s", buf);
301 if (fflush(stdout) != 0)
302 err(1, "fflush stdout");
303
304 /* shutdown connection */
305 if ((error = SSL_shutdown(ssl)) < 0)
306 err_ssl(1, "SSL_shutdown unidirectional %d", error);
307 if (error <= 0) {
308 if ((error = SSL_shutdown(ssl)) <= 0)
309 err_ssl(1, "SSL_shutdown bidirectional %d",
310 error);
311 }
312
313 SSL_free(ssl);
314 } while (sessionreuse--);
315
316 SSL_CTX_free(ctx);
317
318 printf("success\n");
319
320 return 0;
321}
diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile
deleted file mode 100644
index e9a353f99e..0000000000
--- a/src/regress/lib/libssl/interop/session/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
1# $OpenBSD: Makefile,v 1.12 2025/01/15 10:54:17 tb Exp $
2
3LIBRARIES = libressl
4.if exists(/usr/local/bin/eopenssl33)
5#LIBRARIES += openssl33
6.endif
7.if exists(/usr/local/bin/eopenssl34)
8#LIBRARIES += openssl34
9.endif
10
11run-session-client-libressl-server-libressl:
12 # TLS 1.3 needs some extra setup for session reuse
13 @echo DISABLED
14
15.for clib in ${LIBRARIES}
16.for slib in ${LIBRARIES}
17
18REGRESS_TARGETS += run-session-client-${clib}-server-${slib}
19
20run-session-client-${clib}-server-${slib}: \
21 127.0.0.1.crt ../${clib}/client ../${slib}/server
22 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
23 ../${slib}/server >${@:S/^run/server/}.out \
24 -ss \
25 127.0.0.1 0
26 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
27 ../${clib}/client >${@:S/^run/client/}.out \
28 -ss \
29 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
30 grep '^success$$' ${@:S/^run/server/}.out || \
31 { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; }
32 grep '^success$$' ${@:S/^run/client/}.out
33 grep '^session 2: new$$' ${@:S/^run/server/}.out
34 grep '^session 2: new$$' ${@:S/^run/client/}.out
35 grep '^session 1: reuse$$' ${@:S/^run/server/}.out
36 grep '^session 1: reuse$$' ${@:S/^run/client/}.out
37 grep '^session 0: reuse$$' ${@:S/^run/server/}.out
38 grep '^session 0: reuse$$' ${@:S/^run/client/}.out
39
40.endfor
41.endfor
42
43.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/util.c b/src/regress/lib/libssl/interop/util.c
deleted file mode 100644
index 5190e81828..0000000000
--- a/src/regress/lib/libssl/interop/util.c
+++ /dev/null
@@ -1,145 +0,0 @@
1/* $OpenBSD: util.c,v 1.3 2018/11/09 06:30:41 bluhm Exp $ */
2/*
3 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <stdio.h>
24
25#include <openssl/err.h>
26#include <openssl/ssl.h>
27#include <openssl/opensslv.h>
28#include <openssl/crypto.h>
29
30#include "util.h"
31
32void
33print_version(void)
34{
35#ifdef OPENSSL_VERSION_NUMBER
36 printf("OPENSSL_VERSION_NUMBER: %#08lx\n", OPENSSL_VERSION_NUMBER);
37#endif
38#ifdef LIBRESSL_VERSION_NUMBER
39 printf("LIBRESSL_VERSION_NUMBER: %#08lx\n", LIBRESSL_VERSION_NUMBER);
40#endif
41#ifdef LIBRESSL_VERSION_TEXT
42 printf("LIBRESSL_VERSION_TEXT: %s\n", LIBRESSL_VERSION_TEXT);
43#endif
44#if OPENSSL_VERSION_NUMBER >= 0x1010000f
45 printf("OpenSSL_version_num: %#08lx\n", OpenSSL_version_num());
46 printf("OpenSSL_version OPENSSL_VERSION: %s\n",
47 OpenSSL_version(OPENSSL_VERSION));
48 printf("OpenSSL_version OPENSSL_CFLAGS: %s\n",
49 OpenSSL_version(OPENSSL_CFLAGS));
50 printf("OpenSSL_version OPENSSL_BUILT_ON: %s\n",
51 OpenSSL_version(OPENSSL_BUILT_ON));
52 printf("OpenSSL_version OPENSSL_PLATFORM: %s\n",
53 OpenSSL_version(OPENSSL_PLATFORM));
54 printf("OpenSSL_version OPENSSL_DIR: %s\n",
55 OpenSSL_version(OPENSSL_DIR));
56 printf("OpenSSL_version OPENSSL_ENGINES_DIR: %s\n",
57 OpenSSL_version(OPENSSL_ENGINES_DIR));
58#endif
59 printf("SSLeay: %#08lx\n", SSLeay());
60 printf("SSLeay_version SSLEAY_VERSION: %s\n",
61 SSLeay_version(SSLEAY_VERSION));
62 printf("SSLeay_version SSLEAY_CFLAGS: %s\n",
63 SSLeay_version(SSLEAY_CFLAGS));
64 printf("SSLeay_version SSLEAY_BUILT_ON: %s\n",
65 SSLeay_version(SSLEAY_BUILT_ON));
66 printf("SSLeay_version SSLEAY_PLATFORM: %s\n",
67 SSLeay_version(SSLEAY_PLATFORM));
68 printf("SSLeay_version SSLEAY_DIR: %s\n",
69 SSLeay_version(SSLEAY_DIR));
70}
71
72void
73print_ciphers(STACK_OF(SSL_CIPHER) *cstack)
74{
75 const SSL_CIPHER *cipher;
76 int i;
77
78 for (i = 0; (cipher = sk_SSL_CIPHER_value(cstack, i)) != NULL; i++)
79 printf("cipher %s\n", SSL_CIPHER_get_name(cipher));
80 if (fflush(stdout) != 0)
81 err(1, "fflush stdout");
82}
83
84void
85print_sockname(BIO *bio)
86{
87 struct sockaddr_storage ss;
88 socklen_t slen;
89 char host[NI_MAXHOST], port[NI_MAXSERV];
90 int fd;
91
92 if (BIO_get_fd(bio, &fd) <= 0)
93 err_ssl(1, "BIO_get_fd");
94 slen = sizeof(ss);
95 if (getsockname(fd, (struct sockaddr *)&ss, &slen) == -1)
96 err(1, "getsockname");
97 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
98 sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV))
99 errx(1, "getnameinfo");
100 printf("sock: %s %s\n", host, port);
101 if (fflush(stdout) != 0)
102 err(1, "fflush stdout");
103}
104
105void
106print_peername(BIO *bio)
107{
108 struct sockaddr_storage ss;
109 socklen_t slen;
110 char host[NI_MAXHOST], port[NI_MAXSERV];
111 int fd;
112
113 if (BIO_get_fd(bio, &fd) <= 0)
114 err_ssl(1, "BIO_get_fd");
115 slen = sizeof(ss);
116 if (getpeername(fd, (struct sockaddr *)&ss, &slen) == -1)
117 err(1, "getpeername");
118 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
119 sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV))
120 errx(1, "getnameinfo");
121 printf("peer: %s %s\n", host, port);
122 if (fflush(stdout) != 0)
123 err(1, "fflush stdout");
124}
125
126void
127err_ssl(int eval, const char *fmt, ...)
128{
129 va_list ap;
130
131 ERR_print_errors_fp(stderr);
132 va_start(ap, fmt);
133 verrx(eval, fmt, ap);
134 va_end(ap);
135}
136
137int
138verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
139{
140 printf("verify: %s\n", preverify_ok ? "pass" : "fail");
141 if (fflush(stdout) != 0)
142 err(1, "fflush stdout");
143
144 return preverify_ok;
145}
diff --git a/src/regress/lib/libssl/interop/util.h b/src/regress/lib/libssl/interop/util.h
deleted file mode 100644
index 7414a037d7..0000000000
--- a/src/regress/lib/libssl/interop/util.h
+++ /dev/null
@@ -1,23 +0,0 @@
1/* $OpenBSD: util.h,v 1.3 2018/11/09 06:30:41 bluhm Exp $ */
2/*
3 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18void print_version(void);
19void print_ciphers(STACK_OF(SSL_CIPHER) *);
20void print_sockname(BIO *);
21void print_peername(BIO *);
22void err_ssl(int, const char *, ...);
23int verify_callback(int, X509_STORE_CTX *);
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
deleted file mode 100644
index 605fba252f..0000000000
--- a/src/regress/lib/libssl/interop/version/Makefile
+++ /dev/null
@@ -1,110 +0,0 @@
1# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS
5# version number. Incompatible versions must fail. Check that client
6# and server have used correct version by grepping in their session
7# print out.
8
9LIBRARIES = libressl
10.if exists(/usr/local/bin/eopenssl33)
11LIBRARIES += openssl33
12.endif
13.if exists(/usr/local/bin/eopenssl34)
14LIBRARIES += openssl34
15.endif
16
17VERSIONS = any TLS1_2 TLS1_3
18
19.for cver in ${VERSIONS}
20.for sver in ${VERSIONS}
21
22.if "${cver}" == any || "${sver}" == any || "${cver}" == "${sver}"
23FAIL_${cver}_${sver} =
24.else
25FAIL_${cver}_${sver} = !
26.endif
27
28.for clib in ${LIBRARIES}
29.for slib in ${LIBRARIES}
30
31.if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \
32 ((("${clib}" != openssl33 && "${slib}" != openssl33)) || \
33 (("${clib}" != openssl34 && "${slib}" != openssl34)) || \
34 (("${cver}" != any && "${sver}" != any) && \
35 ("${cver}" != TLS1 && "${sver}" != TLS1) && \
36 ("${cver}" != TLS1_1 && "${sver}" != TLS1_1)))
37
38.if ("${clib}" == "libressl" || "${slib}" == "libressl")
39REGRESS_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver}
40.else
41# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow.
42SLOW_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver}
43.endif
44
45run-version-client-${clib}-${cver}-server-${slib}-${sver} \
46client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \
47server-version-client-${clib}-${cver}-server-${slib}-${sver}.out: \
48 127.0.0.1.crt ../${clib}/client ../${slib}/server
49 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
50 ../${slib}/server >${@:S/^run/server/}.out \
51 -c 127.0.0.1.crt -k 127.0.0.1.key \
52 ${sver:Nany:S/^/-V /} \
53 127.0.0.1 0
54 ${FAIL_${cver}_${sver}} \
55 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
56 ../${clib}/client >${@:S/^run/client/}.out \
57 ${cver:Nany:S/^/-V /} \
58 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
59.if empty(${FAIL_${cver}_${sver}})
60 grep -q '^success$$' ${@:S/^run/server/}.out || \
61 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
62 grep -q '^success$$' ${@:S/^run/client/}.out
63.endif
64
65.if empty(${FAIL_${cver}_${sver}})
66
67.if ("${clib}" == "libressl" || "${slib}" == "libressl")
68REGRESS_TARGETS += check-version-client-${clib}-${cver}-server-${slib}-${sver}
69.else
70# Don't use REGRESS_SLOW_TARGETS since its handling in bsd.regress.mk is slow.
71SLOW_TARGETS += check-version-client-${clib}-${cver}-server-${slib}-${sver}
72.endif
73
74check-version-client-${clib}-${cver}-server-${slib}-${sver}: \
75 client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \
76 server-version-client-${clib}-${cver}-server-${slib}-${sver}.out
77 @grep ' Protocol *: ' ${@:S/^check/client/}.out
78 @grep ' Protocol *: ' ${@:S/^check/server/}.out
79.if "${cver}" == any
80.if "${sver}" == any
81 grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out
82 grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out
83.else
84 grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
85 ${@:S/^check/client/}.out
86 grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
87 ${@:S/^check/server/}.out
88.endif
89.else
90 grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \
91 ${@:S/^check/client/}.out
92 grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \
93 ${@:S/^check/server/}.out
94.endif
95.endif
96
97.endif
98
99.endfor
100.endfor
101.endfor
102.endfor
103
104.include <bsd.own.mk>
105REGRESS_SKIP_SLOW ?= no
106.if ${REGRESS_SKIP_SLOW:L} != "yes"
107REGRESS_TARGETS += ${SLOW_TARGETS}
108.endif
109
110.include <bsd.regress.mk>
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-04 16:07:20 +0000