summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/regress/lib/libssl/interop/Makefile6
-rw-r--r--src/regress/lib/libssl/interop/README6
-rw-r--r--src/regress/lib/libssl/interop/cert/Makefile7
-rw-r--r--src/regress/lib/libssl/interop/cipher/Makefile16
-rw-r--r--src/regress/lib/libssl/interop/openssl/Makefile43
-rw-r--r--src/regress/lib/libssl/interop/server.c13
-rw-r--r--src/regress/lib/libssl/interop/version/Makefile15
7 files changed, 13 insertions, 93 deletions
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
index 2f6b165ae6..72dc87b5c2 100644
--- a/src/regress/lib/libssl/interop/Makefile
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,6 +1,6 @@
1# $OpenBSD: Makefile,v 1.16 2023/01/27 08:28:36 tb Exp $ 1# $OpenBSD: Makefile,v 1.17 2023/02/01 14:39:09 tb Exp $
2 2
3SUBDIR = libressl openssl openssl11 openssl30 3SUBDIR = libressl openssl11 openssl30
4 4
5# the above binaries must have been built before we can continue 5# the above binaries must have been built before we can continue
6SUBDIR += netcat 6SUBDIR += netcat
@@ -10,7 +10,7 @@ SUBDIR += botan
10# What is below takes a long time. 10# What is below takes a long time.
11# setting REGRESS_SKIP_SLOW to "yes" in mk.conf 11# setting REGRESS_SKIP_SLOW to "yes" in mk.conf
12# will skip the tests that do not test libressl 12# will skip the tests that do not test libressl
13# but do things like test openssl to openssl11 13# but do things like test openssl11 to openssl30
14SUBDIR += version 14SUBDIR += version
15SUBDIR += cipher 15SUBDIR += cipher
16# This takes a really long time. 16# This takes a really long time.
diff --git a/src/regress/lib/libssl/interop/README b/src/regress/lib/libssl/interop/README
index 54910e554d..091e63f6fc 100644
--- a/src/regress/lib/libssl/interop/README
+++ b/src/regress/lib/libssl/interop/README
@@ -1,17 +1,13 @@
1Test TLS interoperability between LibreSSL and OpenSSL. 1Test TLS interoperability between LibreSSL and OpenSSL.
2 2
3Implement simple SSL client and server in C. Create six binaries 3Implement simple SSL client and server in C. Create six binaries
4by linking them with LibreSSL or OpenSSL 1.0.2 or OpenSSL 1.1. This 4by linking them with LibreSSL or OpenSSL 1.1 or OpenSSL 3.0. This
5way API compatibility is tested. 5way API compatibility is tested.
6 6
7To self test each SSL library, connect client with server. Check 7To self test each SSL library, connect client with server. Check
8that the highest available TLS version is selected. LibreSSL TLS 8that the highest available TLS version is selected. LibreSSL TLS
91.3 check has to be enabled when the feature becomes available. 91.3 check has to be enabled when the feature becomes available.
10 10
11Currently OpenSSL 1.0.2p and OpenSSL 1.1.1 from ports are used. As
12soon as LibreSSL supports TLS 1.3, it should be used automatically
13when netcat is communicating with OpenSSL 1.1.
14
15Connect and accept with netcat to test protocol compatibility with 11Connect and accept with netcat to test protocol compatibility with
16libtls. Test TLS session reuse multiple times with different library 12libtls. Test TLS session reuse multiple times with different library
17combinations. The cert subdir is testing all combinations of 13combinations. The cert subdir is testing all combinations of
diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile
index 6156a988ae..32b7a4f4f1 100644
--- a/src/regress/lib/libssl/interop/cert/Makefile
+++ b/src/regress/lib/libssl/interop/cert/Makefile
@@ -1,15 +1,12 @@
1# $OpenBSD: Makefile,v 1.8 2023/01/27 08:28:36 tb Exp $ 1# $OpenBSD: Makefile,v 1.9 2023/02/01 14:39:09 tb Exp $
2 2
3# Connect a client to a server. Both can be current libressl, or 3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, 1.1, or 3.0. Create client and server certificates 4# openssl 1.1 or 3.0. Create client and server certificates
5# that are signed by a CA and not signed by a fake CA. Try all 5# that are signed by a CA and not signed by a fake CA. Try all
6# combinations with, without, and with wrong CA for client and server 6# combinations with, without, and with wrong CA for client and server
7# and check the result of certificate verification. 7# and check the result of certificate verification.
8 8
9LIBRARIES = libressl 9LIBRARIES = libressl
10.if exists(/usr/local/bin/eopenssl)
11LIBRARIES += openssl
12.endif
13.if exists(/usr/local/bin/eopenssl11) 10.if exists(/usr/local/bin/eopenssl11)
14LIBRARIES += openssl11 11LIBRARIES += openssl11
15.endif 12.endif
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
index 46951f6782..3cb4330d31 100644
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -1,7 +1,7 @@
1# $OpenBSD: Makefile,v 1.10 2023/01/27 08:28:36 tb Exp $ 1# $OpenBSD: Makefile,v 1.11 2023/02/01 14:39:09 tb Exp $
2 2
3# Connect a client to a server. Both can be current libressl, or 3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, 1.1, or 3.0. Create lists of supported ciphers 4# openssl 1.1 or 3.0. Create lists of supported ciphers
5# and pin client and server to one of the ciphers. Use server 5# and pin client and server to one of the ciphers. Use server
6# certificate with compatible type. Check that client and server 6# certificate with compatible type. Check that client and server
7# have used correct cipher by grepping in their session print out. 7# have used correct cipher by grepping in their session print out.
@@ -18,9 +18,6 @@ check-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl:
18 @echo DISABLED 18 @echo DISABLED
19 19
20LIBRARIES = libressl 20LIBRARIES = libressl
21.if exists(/usr/local/bin/eopenssl)
22LIBRARIES += openssl
23.endif
24.if exists(/usr/local/bin/eopenssl11) 21.if exists(/usr/local/bin/eopenssl11)
25LIBRARIES += openssl11 22LIBRARIES += openssl11
26.endif 23.endif
@@ -84,7 +81,6 @@ regress: ciphers.mk
84.endif 81.endif
85 82
86LEVEL_libressl = 83LEVEL_libressl =
87LEVEL_openssl =
88LEVEL_openssl11 = ,@SECLEVEL=0 84LEVEL_openssl11 = ,@SECLEVEL=0
89LEVEL_openssl30 = ,@SECLEVEL=0 85LEVEL_openssl30 = ,@SECLEVEL=0
90 86
@@ -104,12 +100,7 @@ TYPE_${cipher} = rsa
104TYPE_${cipher} = 127.0.0.1 100TYPE_${cipher} = 127.0.0.1
105.endif 101.endif
106 102
107.if "${slib}" == "openssl" && \
108 "${cipher:MADH-*}${cipher:MEDH-*}${cipher:MDHE-*}" != ""
109DHPARAM_${cipher}_${slib} = -p dh.param
110.else
111DHPARAM_${cipher}_${slib} = 103DHPARAM_${cipher}_${slib} =
112.endif
113 104
114.if ("${clib}" == "libressl" || "${slib}" == "libressl") 105.if ("${clib}" == "libressl" || "${slib}" == "libressl")
115REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib} 106REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib}
@@ -141,8 +132,7 @@ REGRESS_SLOW_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib}
141check-cipher-${cipher}-client-${clib}-server-${slib}: \ 132check-cipher-${cipher}-client-${clib}-server-${slib}: \
142 client-cipher-${cipher}-client-${clib}-server-${slib}.out \ 133 client-cipher-${cipher}-client-${clib}-server-${slib}.out \
143 server-cipher-${cipher}-client-${clib}-server-${slib}.out 134 server-cipher-${cipher}-client-${clib}-server-${slib}.out
144.if "${clib}" != "openssl" && "${slib}" != "openssl" && \ 135.if "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3
145 "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3
146 # client and server 1.3 capable, not TLS 1.3 cipher 136 # client and server 1.3 capable, not TLS 1.3 cipher
147. if "${clib}" == "libressl" 137. if "${clib}" == "libressl"
148 # libressl client may prefer chacha-poly if aes-ni is not supported 138 # libressl client may prefer chacha-poly if aes-ni is not supported
diff --git a/src/regress/lib/libssl/interop/openssl/Makefile b/src/regress/lib/libssl/interop/openssl/Makefile
deleted file mode 100644
index 53c51a83ee..0000000000
--- a/src/regress/lib/libssl/interop/openssl/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
1# $OpenBSD: Makefile,v 1.9 2021/12/02 17:10:53 kn Exp $
2
3.if ! exists(/usr/local/bin/eopenssl)
4regress:
5 # install openssl-1.0.2 from ports for interop tests
6 @echo 'Run "pkg_add openssl--%1.0.2" to run tests against OpenSSL 1.0.2'
7 @echo SKIPPED
8.else
9
10PROGS = client server
11CPPFLAGS = -I /usr/local/include/eopenssl
12LDFLAGS = -L /usr/local/lib/eopenssl
13LDADD = -lssl -lcrypto
14DPADD = /usr/local/lib/eopenssl/libssl.a \
15 /usr/local/lib/eopenssl/libcrypto.a
16LD_LIBRARY_PATH = /usr/local/lib/eopenssl
17REGRESS_TARGETS = run-self-client-server
18.for p in ${PROGS}
19REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
20.endfor
21
22.for p in ${PROGS}
23
24run-ldd-$p: ldd-$p.out
25 # check that $p is linked with OpenSSL
26 grep -q /usr/local/lib/eopenssl/libcrypto.so ldd-$p.out
27 grep -q /usr/local/lib/eopenssl/libssl.so ldd-$p.out
28 # check that $p is not linked with LibreSSL
29 ! grep -v libc.so ldd-$p.out | grep /usr/lib/
30
31run-version-$p: $p-self.out
32 # check that runtime version is OpenSSL 1.0.2
33 grep 'SSLEAY_VERSION: OpenSSL 1.0.2' $p-self.out
34
35run-protocol-$p: $p-self.out
36 # check that OpenSSL 1.0.2 protocol version is TLS 1.2
37 grep 'Protocol *: TLSv1.2' $p-self.out
38
39.endfor
40
41.endif # exists(/usr/local/bin/eopenssl)
42
43.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c
index c8e4cb7fc3..a634adb43b 100644
--- a/src/regress/lib/libssl/interop/server.c
+++ b/src/regress/lib/libssl/interop/server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: server.c,v 1.11 2022/07/07 13:12:57 tb Exp $ */ 1/* $OpenBSD: server.c,v 1.12 2023/02/01 14:39:09 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org> 3 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4 * 4 *
@@ -85,10 +85,8 @@ main(int argc, char *argv[])
85 version = TLS1_1_VERSION; 85 version = TLS1_1_VERSION;
86 } else if (strcmp(optarg, "TLS1_2") == 0) { 86 } else if (strcmp(optarg, "TLS1_2") == 0) {
87 version = TLS1_2_VERSION; 87 version = TLS1_2_VERSION;
88#ifdef TLS1_3_VERSION
89 } else if (strcmp(optarg, "TLS1_3") == 0) { 88 } else if (strcmp(optarg, "TLS1_3") == 0) {
90 version = TLS1_3_VERSION; 89 version = TLS1_3_VERSION;
91#endif
92 } else { 90 } else {
93 errx(1, "unknown protocol version: %s", optarg); 91 errx(1, "unknown protocol version: %s", optarg);
94 } 92 }
@@ -184,10 +182,6 @@ main(int argc, char *argv[])
184 fclose(file); 182 fclose(file);
185 } 183 }
186 184
187 /* needed when linking with OpenSSL 1.0.2p */
188 if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0)
189 err_ssl(1, "SSL_CTX_set_ecdh_auto");
190
191 /* load server certificate */ 185 /* load server certificate */
192 if (SSL_CTX_use_certificate_file(ctx, crt, SSL_FILETYPE_PEM) <= 0) 186 if (SSL_CTX_use_certificate_file(ctx, crt, SSL_FILETYPE_PEM) <= 0)
193 err_ssl(1, "SSL_CTX_use_certificate_file"); 187 err_ssl(1, "SSL_CTX_use_certificate_file");
@@ -231,9 +225,6 @@ main(int argc, char *argv[])
231 if (listciphers) { 225 if (listciphers) {
232 STACK_OF(SSL_CIPHER) *supported_ciphers; 226 STACK_OF(SSL_CIPHER) *supported_ciphers;
233 227
234#if OPENSSL_VERSION_NUMBER < 0x1010000f
235#define SSL_get1_supported_ciphers SSL_get_ciphers
236#endif
237 ssl = SSL_new(ctx); 228 ssl = SSL_new(ctx);
238 if (ssl == NULL) 229 if (ssl == NULL)
239 err_ssl(1, "SSL_new"); 230 err_ssl(1, "SSL_new");
@@ -242,9 +233,7 @@ main(int argc, char *argv[])
242 err_ssl(1, "SSL_get1_supported_ciphers"); 233 err_ssl(1, "SSL_get1_supported_ciphers");
243 print_ciphers(supported_ciphers); 234 print_ciphers(supported_ciphers);
244 235
245#if OPENSSL_VERSION_NUMBER >= 0x1010000f
246 sk_SSL_CIPHER_free(supported_ciphers); 236 sk_SSL_CIPHER_free(supported_ciphers);
247#endif
248 return 0; 237 return 0;
249 } 238 }
250 239
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
index 7b1be9a3ed..1e0af57a66 100644
--- a/src/regress/lib/libssl/interop/version/Makefile
+++ b/src/regress/lib/libssl/interop/version/Makefile
@@ -1,15 +1,12 @@
1# $OpenBSD: Makefile,v 1.4 2023/01/27 08:28:36 tb Exp $ 1# $OpenBSD: Makefile,v 1.5 2023/02/01 14:39:09 tb Exp $
2 2
3# Connect a client to a server. Both can be current libressl, or 3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS 4# openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS
5# version number. Incompatible versions must fail. Check that client 5# version number. Incompatible versions must fail. Check that client
6# and server have used correct version by grepping in their session 6# and server have used correct version by grepping in their session
7# print out. 7# print out.
8 8
9LIBRARIES = libressl 9LIBRARIES = libressl
10.if exists(/usr/local/bin/eopenssl)
11LIBRARIES += openssl
12.endif
13.if exists(/usr/local/bin/eopenssl11) 10.if exists(/usr/local/bin/eopenssl11)
14LIBRARIES += openssl11 11LIBRARIES += openssl11
15.endif 12.endif
@@ -31,8 +28,7 @@ FAIL_${cver}_${sver} = !
31.for clib in ${LIBRARIES} 28.for clib in ${LIBRARIES}
32.for slib in ${LIBRARIES} 29.for slib in ${LIBRARIES}
33 30
34.if (("${clib}" != openssl && "${slib}" != openssl) || \ 31.if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \
35 ("${cver}" != TLS1_3 && "${sver}" != TLS1_3)) && \
36 (("${clib}" != openssl30 && "${slib}" != openssl30) || \ 32 (("${clib}" != openssl30 && "${slib}" != openssl30) || \
37 (("${cver}" != any && "${sver}" != any) && \ 33 (("${cver}" != any && "${sver}" != any) && \
38 ("${cver}" != TLS1 && "${sver}" != TLS1) && \ 34 ("${cver}" != TLS1 && "${sver}" != TLS1) && \
@@ -79,13 +75,8 @@ check-version-client-${clib}-${cver}-server-${slib}-${sver}: \
79 @grep ' Protocol *: ' ${@:S/^check/server/}.out 75 @grep ' Protocol *: ' ${@:S/^check/server/}.out
80.if "${cver}" == any 76.if "${cver}" == any
81.if "${sver}" == any 77.if "${sver}" == any
82.if "${clib}" == openssl || "${slib}" == openssl
83 grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/client/}.out
84 grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/server/}.out
85.else
86 grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out 78 grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out
87 grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out 79 grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out
88.endif
89.else 80.else
90 grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \ 81 grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
91 ${@:S/^check/client/}.out 82 ${@:S/^check/client/}.out
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 15:35:56 +0000