Retire OpenSSL 1.0.2 interop

Now that the OpenSSL 1.0.2 port is gone, there's no need to keep the interop tests anymore. anton's and bluhm's regress tests will switch to testing interoperability with OpenSSL 3.0.
author: tb <> 2023-02-01 14:39:09 +0000
committer: tb <> 2023-02-01 14:39:09 +0000
commit: 286da5b604ab0d9758d26a1ae1aecce4c34e4dbf (patch)
tree: 551c73b209e1ac3dd50d2eeccbd49b3e2c8439d4 /src
parent: bb11cbb827cae01ad8929c5c40a3dd254cac08f6 (diff)
download: openbsd-286da5b604ab0d9758d26a1ae1aecce4c34e4dbf.tar.gz
openbsd-286da5b604ab0d9758d26a1ae1aecce4c34e4dbf.tar.bz2
openbsd-286da5b604ab0d9758d26a1ae1aecce4c34e4dbf.zip
7 files changed, 13 insertions, 93 deletions
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
index 2f6b165ae6..72dc87b5c2 100644
--- a/src/regress/lib/libssl/interop/Makefile
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,6 +1,6 @@
-# $OpenBSD: Makefile,v 1.16 2023/01/27 08:28:36 tb Exp $
+# $OpenBSD: Makefile,v 1.17 2023/02/01 14:39:09 tb Exp $
-SUBDIR =        libressl openssl openssl11 openssl30
+SUBDIR =        libressl openssl11 openssl30
 # the above binaries must have been built before we can continue
 SUBDIR +=       netcat
@@ -10,7 +10,7 @@ SUBDIR +=	botan
 # What is below takes a long time.
 # setting REGRESS_SKIP_SLOW to "yes" in mk.conf
 # will skip the tests that do not test libressl
-# but do things like test openssl to openssl11
+# but do things like test openssl11 to openssl30
 SUBDIR +=       version
 SUBDIR +=       cipher
 # This takes a really long time. 
diff --git a/src/regress/lib/libssl/interop/README b/src/regress/lib/libssl/interop/README
index 54910e554d..091e63f6fc 100644
--- a/src/regress/lib/libssl/interop/README
+++ b/src/regress/lib/libssl/interop/README
@@ -1,17 +1,13 @@
 Test TLS interoperability between LibreSSL and OpenSSL.
 Implement simple SSL client and server in C.  Create six binaries
-by linking them with LibreSSL or OpenSSL 1.0.2 or OpenSSL 1.1.  This
+by linking them with LibreSSL or OpenSSL 1.1 or OpenSSL 3.0.  This
 way API compatibility is tested.
 To self test each SSL library, connect client with server.  Check
 that the highest available TLS version is selected.  LibreSSL TLS
 1.3 check has to be enabled when the feature becomes available.
-Currently OpenSSL 1.0.2p and OpenSSL 1.1.1 from ports are used.  As
-soon as LibreSSL supports TLS 1.3, it should be used automatically
-when netcat is communicating with OpenSSL 1.1.
 Connect and accept with netcat to test protocol compatibility with
 libtls.  Test TLS session reuse multiple times with different library
 combinations.  The cert subdir is testing all combinations of
diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile
index 6156a988ae..32b7a4f4f1 100644
--- a/src/regress/lib/libssl/interop/cert/Makefile
+++ b/src/regress/lib/libssl/interop/cert/Makefile
@@ -1,15 +1,12 @@
-# $OpenBSD: Makefile,v 1.8 2023/01/27 08:28:36 tb Exp $
+# $OpenBSD: Makefile,v 1.9 2023/02/01 14:39:09 tb Exp $
 # Connect a client to a server.  Both can be current libressl, or
-# openssl 1.0.2, 1.1, or 3.0.  Create client and server certificates
+# openssl 1.1 or 3.0.  Create client and server certificates
 # that are signed by a CA and not signed by a fake CA.  Try all
 # combinations with, without, and with wrong CA for client and server
 # and check the result of certificate verification.
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl)
-LIBRARIES +=            openssl
-.endif
 .if exists(/usr/local/bin/eopenssl11)
 LIBRARIES +=            openssl11
 .endif
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
index 46951f6782..3cb4330d31 100644
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -1,7 +1,7 @@
-# $OpenBSD: Makefile,v 1.10 2023/01/27 08:28:36 tb Exp $
+# $OpenBSD: Makefile,v 1.11 2023/02/01 14:39:09 tb Exp $
 # Connect a client to a server.  Both can be current libressl, or
-# openssl 1.0.2, 1.1, or 3.0.  Create lists of supported ciphers
+# openssl 1.1 or 3.0.  Create lists of supported ciphers
 # and pin client and server to one of the ciphers.  Use server
 # certificate with compatible type.  Check that client and server
 # have used correct cipher by grepping in their session print out.
@@ -18,9 +18,6 @@ check-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl:
        @echo DISABLED
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl)
-LIBRARIES +=            openssl
-.endif
 .if exists(/usr/local/bin/eopenssl11)
 LIBRARIES +=            openssl11
 .endif
@@ -84,7 +81,6 @@ regress: ciphers.mk
 .endif
 LEVEL_libressl =
-LEVEL_openssl =
 LEVEL_openssl11 = ,@SECLEVEL=0
 LEVEL_openssl30 = ,@SECLEVEL=0
@@ -104,12 +100,7 @@ TYPE_${cipher} =	rsa
 TYPE_${cipher} =        127.0.0.1
 .endif
-.if "${slib}" == "openssl" && \
-    "${cipher:MADH-*}${cipher:MEDH-*}${cipher:MDHE-*}" != ""
-DHPARAM_${cipher}_${slib} =     -p dh.param
-.else
 DHPARAM_${cipher}_${slib} =
-.endif
 .if ("${clib}" == "libressl" || "${slib}" == "libressl")
 REGRESS_TARGETS +=      run-cipher-${cipher}-client-${clib}-server-${slib}
@@ -141,8 +132,7 @@ REGRESS_SLOW_TARGETS +=	check-cipher-${cipher}-client-${clib}-server-${slib}
 check-cipher-${cipher}-client-${clib}-server-${slib}: \
    client-cipher-${cipher}-client-${clib}-server-${slib}.out \
    server-cipher-${cipher}-client-${clib}-server-${slib}.out
-.if "${clib}" != "openssl" && "${slib}" != "openssl" && \
+.if "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3
-    "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3
        # client and server 1.3 capable, not TLS 1.3 cipher
 . if "${clib}" == "libressl"
        # libressl client may prefer chacha-poly if aes-ni is not supported
diff --git a/src/regress/lib/libssl/interop/openssl/Makefile b/src/regress/lib/libssl/interop/openssl/Makefile
deleted file mode 100644
index 53c51a83ee..0000000000
--- a/src/regress/lib/libssl/interop/openssl/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
-# $OpenBSD: Makefile,v 1.9 2021/12/02 17:10:53 kn Exp $
-.if ! exists(/usr/local/bin/eopenssl)
-regress:
-        # install openssl-1.0.2 from ports for interop tests
-        @echo 'Run "pkg_add openssl--%1.0.2" to run tests against OpenSSL 1.0.2'
-        @echo SKIPPED
-.else
-PROGS =                 client server
-CPPFLAGS =              -I /usr/local/include/eopenssl
-LDFLAGS =               -L /usr/local/lib/eopenssl
-LDADD =                 -lssl -lcrypto
-DPADD =                 /usr/local/lib/eopenssl/libssl.a \
-                        /usr/local/lib/eopenssl/libcrypto.a
-LD_LIBRARY_PATH =       /usr/local/lib/eopenssl
-REGRESS_TARGETS =       run-self-client-server
-.for p in ${PROGS}
-REGRESS_TARGETS +=      run-ldd-$p run-version-$p run-protocol-$p
-.endfor
-.for p in ${PROGS}
-run-ldd-$p: ldd-$p.out
-        # check that $p is linked with OpenSSL
-        grep -q /usr/local/lib/eopenssl/libcrypto.so ldd-$p.out
-        grep -q /usr/local/lib/eopenssl/libssl.so ldd-$p.out
-        # check that $p is not linked with LibreSSL
-        ! grep -v libc.so ldd-$p.out | grep /usr/lib/
-run-version-$p: $p-self.out
-        # check that runtime version is OpenSSL 1.0.2
-        grep 'SSLEAY_VERSION: OpenSSL 1.0.2' $p-self.out
-run-protocol-$p: $p-self.out
-        # check that OpenSSL 1.0.2 protocol version is TLS 1.2
-        grep 'Protocol *: TLSv1.2' $p-self.out
-.endfor
-.endif # exists(/usr/local/bin/eopenssl)
-.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c
index c8e4cb7fc3..a634adb43b 100644
--- a/src/regress/lib/libssl/interop/server.c
+++ b/src/regress/lib/libssl/interop/server.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: server.c,v 1.11 2022/07/07 13:12:57 tb Exp $  */
+/*      $OpenBSD: server.c,v 1.12 2023/02/01 14:39:09 tb Exp $  */
 /*
 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
 *
@@ -85,10 +85,8 @@ main(int argc, char *argv[])
                                version = TLS1_1_VERSION;
                        } else if (strcmp(optarg, "TLS1_2") == 0) {
                                version = TLS1_2_VERSION;
-#ifdef TLS1_3_VERSION
                        } else if (strcmp(optarg, "TLS1_3") == 0) {
                                version = TLS1_3_VERSION;
-#endif
                        } else {
                                errx(1, "unknown protocol version: %s", optarg);
                        }
@@ -184,10 +182,6 @@ main(int argc, char *argv[])
                fclose(file);
        }
-        /* needed when linking with OpenSSL 1.0.2p */
-        if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0)
-                err_ssl(1, "SSL_CTX_set_ecdh_auto");
        /* load server certificate */
        if (SSL_CTX_use_certificate_file(ctx, crt, SSL_FILETYPE_PEM) <= 0)
                err_ssl(1, "SSL_CTX_use_certificate_file");
@@ -231,9 +225,6 @@ main(int argc, char *argv[])
        if (listciphers) {
                STACK_OF(SSL_CIPHER) *supported_ciphers;
-#if OPENSSL_VERSION_NUMBER < 0x1010000f
-#define SSL_get1_supported_ciphers SSL_get_ciphers
-#endif
                ssl = SSL_new(ctx);
                if (ssl == NULL)
                        err_ssl(1, "SSL_new");
@@ -242,9 +233,7 @@ main(int argc, char *argv[])
                        err_ssl(1, "SSL_get1_supported_ciphers");
                print_ciphers(supported_ciphers);
-#if OPENSSL_VERSION_NUMBER >= 0x1010000f
                sk_SSL_CIPHER_free(supported_ciphers);
-#endif
                return 0;
        }
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
index 7b1be9a3ed..1e0af57a66 100644
--- a/src/regress/lib/libssl/interop/version/Makefile
+++ b/src/regress/lib/libssl/interop/version/Makefile
@@ -1,15 +1,12 @@
-# $OpenBSD: Makefile,v 1.4 2023/01/27 08:28:36 tb Exp $
+# $OpenBSD: Makefile,v 1.5 2023/02/01 14:39:09 tb Exp $
 # Connect a client to a server.  Both can be current libressl, or
-# openssl 1.0.2, or openssl 1.1.  Pin client or server to a fixed TLS
+# openssl 1.1 or openssl 3.0.  Pin client or server to a fixed TLS
 # version number.  Incompatible versions must fail.  Check that client 
 # and server have used correct version by grepping in their session
 # print out.
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl)
-LIBRARIES +=            openssl
-.endif
 .if exists(/usr/local/bin/eopenssl11)
 LIBRARIES +=            openssl11
 .endif
@@ -31,8 +28,7 @@ FAIL_${cver}_${sver} = !
 .for clib in ${LIBRARIES}
 .for slib in ${LIBRARIES}
-.if (("${clib}" != openssl && "${slib}" != openssl) || \
+.if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \
-    ("${cver}" != TLS1_3 && "${sver}" != TLS1_3)) && \
    (("${clib}" != openssl30 && "${slib}" != openssl30) || \
    (("${cver}" != any && "${sver}" != any) && \
    ("${cver}" != TLS1 && "${sver}" != TLS1) && \
@@ -79,13 +75,8 @@ check-version-client-${clib}-${cver}-server-${slib}-${sver}: \
        @grep ' Protocol *: ' ${@:S/^check/server/}.out
 .if "${cver}" == any
 .if "${sver}" == any
-.if "${clib}" == openssl || "${slib}" == openssl
-        grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/client/}.out
-        grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/server/}.out
-.else
        grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out
        grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out
-.endif
 .else
        grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
            ${@:S/^check/client/}.out
author	tb <>	2023-02-01 14:39:09 +0000
committer	tb <>	2023-02-01 14:39:09 +0000
commit	286da5b604ab0d9758d26a1ae1aecce4c34e4dbf (patch)
tree	551c73b209e1ac3dd50d2eeccbd49b3e2c8439d4 /src
parent	bb11cbb827cae01ad8929c5c40a3dd254cac08f6 (diff)
download	openbsd-286da5b604ab0d9758d26a1ae1aecce4c34e4dbf.tar.gz openbsd-286da5b604ab0d9758d26a1ae1aecce4c34e4dbf.tar.bz2 openbsd-286da5b604ab0d9758d26a1ae1aecce4c34e4dbf.zip