6 files changed, 220 insertions, 129 deletions
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
index 0226cae4ab..f538f87366 100644
--- a/src/regress/lib/libssl/interop/Makefile
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,5 +1,8 @@
-# $OpenBSD: Makefile,v 1.3 2018/11/09 06:30:41 bluhm Exp $
+# $OpenBSD: Makefile,v 1.4 2018/11/10 08:33:45 bluhm Exp $
-SUBDIR =        libressl openssl openssl11 cert
+SUBDIR =        libressl openssl openssl11
+# the above binaries must have been built before we can continue
+SUBDIR +=       session
+SUBDIR +=       cert
 .include <bsd.subdir.mk>
diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c
index c312d7ae8a..0b5827c447 100644
--- a/src/regress/lib/libssl/interop/client.c
+++ b/src/regress/lib/libssl/interop/client.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: client.c,v 1.4 2018/11/09 06:30:41 bluhm Exp $        */
+/*      $OpenBSD: client.c,v 1.5 2018/11/10 08:33:45 bluhm Exp $        */
 /*
 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
 *
@@ -35,7 +35,7 @@ void __dead
 usage(void)
 {
        fprintf(stderr,
-            "usage: client [-c] [-C CA] [-c crt -k key] host port");
+            "usage: client [-sv] [-C CA] [-c crt -k key] host port");
        exit(2);
 }
@@ -46,13 +46,13 @@ main(int argc, char *argv[])
        SSL_CTX *ctx;
        SSL *ssl;
        BIO *bio;
-        SSL_SESSION *session;
+        SSL_SESSION *session = NULL;
-        int error, verify = 0;
+        int error, sessionreuse = 0, verify = 0;
        char buf[256], ch;
        char *ca = NULL, *crt = NULL, *key = NULL;
        char *host_port, *host, *port;
-        while ((ch = getopt(argc, argv, "C:c:k:v")) != -1) {
+        while ((ch = getopt(argc, argv, "C:c:k:sv")) != -1) {
                switch (ch) {
                case 'C':
                        ca = optarg;
@@ -63,6 +63,10 @@ main(int argc, char *argv[])
                case 'k':
                        key = optarg;
                        break;
+                case 's':
+                        /* multiple reueses are possible */
+                        sessionreuse++;
+                        break;
                case 'v':
                        verify = 1;
                        break;
@@ -122,63 +126,85 @@ main(int argc, char *argv[])
        SSL_CTX_set_verify(ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
            verify_callback);
-        /* setup ssl and bio for socket operations */
+        if (sessionreuse) {
-        ssl = SSL_new(ctx);
+                SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
-        if (ssl == NULL)
-                err_ssl(1, "SSL_new");
-        bio = BIO_new_connect(host_port);
-        if (bio == NULL)
-                err_ssl(1, "BIO_new_connect");
-        print_ciphers(SSL_get_ciphers(ssl));
-        /* connect */
-        if (BIO_do_connect(bio) <= 0)
-                err_ssl(1, "BIO_do_connect");
-        printf("connect ");
-        print_sockname(bio);
-        printf("connect ");
-        print_peername(bio);
-        /* do ssl client handshake */
-        SSL_set_bio(ssl, bio, bio);
-        if ((error = SSL_connect(ssl)) <= 0)
-                err_ssl(1, "SSL_connect %d", error);
-        /* print session statistics */
-        session = SSL_get_session(ssl);
-        if (session == NULL)
-                err_ssl(1, "SSL_get_session");
-        if (SSL_SESSION_print_fp(stdout, session) <= 0)
-                err_ssl(1, "SSL_SESSION_print_fp");
-        /* read server greeting and write client hello over TLS connection */
-        if ((error = SSL_read(ssl, buf, 9)) <= 0)
-                err_ssl(1, "SSL_read %d", error);
-        if (error != 9)
-                errx(1, "read not 9 bytes greeting: %d", error);
-        buf[9] = '\0';
-        printf("<<< %s", buf);
-        if (fflush(stdout) != 0)
-                err(1, "fflush stdout");
-        strlcpy(buf, "hello\n", sizeof(buf));
-        printf(">>> %s", buf);
-        if (fflush(stdout) != 0)
-                err(1, "fflush stdout");
-        if ((error = SSL_write(ssl, buf, 6)) <= 0)
-                err_ssl(1, "SSL_write %d", error);
-        if (error != 6)
-                errx(1, "write not 6 bytes hello: %d", error);
-        /* shutdown connection */
-        if ((error = SSL_shutdown(ssl)) < 0)
-                err_ssl(1, "SSL_shutdown unidirectional %d", error);
-        if (error <= 0) {
-                if ((error = SSL_shutdown(ssl)) <= 0)
-                        err_ssl(1, "SSL_shutdown bidirectional %d", error);
        }
-        /* cleanup and free resources */
+        do {
-        SSL_free(ssl);
+                /* setup bio for socket operations */
+                bio = BIO_new_connect(host_port);
+                if (bio == NULL)
+                        err_ssl(1, "BIO_new_connect");
+                /* connect */
+                if (BIO_do_connect(bio) <= 0)
+                        err_ssl(1, "BIO_do_connect");
+                printf("connect ");
+                print_sockname(bio);
+                printf("connect ");
+                print_peername(bio);
+                /* do ssl client handshake */
+                ssl = SSL_new(ctx);
+                if (ssl == NULL)
+                        err_ssl(1, "SSL_new");
+                print_ciphers(SSL_get_ciphers(ssl));
+                SSL_set_bio(ssl, bio, bio);
+                /* resuse session if possible */
+                if (session != NULL) {
+                        if (SSL_set_session(ssl, session) <= 0)
+                                err_ssl(1, "SSL_set_session");
+                }
+                if ((error = SSL_connect(ssl)) <= 0)
+                        err_ssl(1, "SSL_connect %d", error);
+                printf("session %d: %s\n", sessionreuse,
+                    SSL_session_reused(ssl) ? "reuse" : "new");
+                if (fflush(stdout) != 0)
+                        err(1, "fflush stdout");
+                /* print session statistics */
+                if (sessionreuse) {
+                        session = SSL_get1_session(ssl);
+                        if (session == NULL)
+                                err_ssl(1, "SSL1_get_session");
+                } else {
+                        session = SSL_get_session(ssl);
+                        if (session == NULL)
+                                err_ssl(1, "SSL_get_session");
+                }
+                if (SSL_SESSION_print_fp(stdout, session) <= 0)
+                        err_ssl(1, "SSL_SESSION_print_fp");
+                /* read server greeting and write client hello over TLS */
+                if ((error = SSL_read(ssl, buf, 9)) <= 0)
+                        err_ssl(1, "SSL_read %d", error);
+                if (error != 9)
+                        errx(1, "read not 9 bytes greeting: %d", error);
+                buf[9] = '\0';
+                printf("<<< %s", buf);
+                if (fflush(stdout) != 0)
+                        err(1, "fflush stdout");
+                strlcpy(buf, "hello\n", sizeof(buf));
+                printf(">>> %s", buf);
+                if (fflush(stdout) != 0)
+                        err(1, "fflush stdout");
+                if ((error = SSL_write(ssl, buf, 6)) <= 0)
+                        err_ssl(1, "SSL_write %d", error);
+                if (error != 6)
+                        errx(1, "write not 6 bytes hello: %d", error);
+                /* shutdown connection */
+                if ((error = SSL_shutdown(ssl)) < 0)
+                        err_ssl(1, "SSL_shutdown unidirectional %d", error);
+                if (error <= 0) {
+                        if ((error = SSL_shutdown(ssl)) <= 0)
+                                err_ssl(1, "SSL_shutdown bidirectional %d",
+                                    error);
+                }
+                SSL_free(ssl);
+        } while (sessionreuse--);
        SSL_CTX_free(ctx);
        printf("success\n");
diff --git a/src/regress/lib/libssl/interop/openssl/Makefile b/src/regress/lib/libssl/interop/openssl/Makefile
index 5c51c029ce..80f313da3e 100644
--- a/src/regress/lib/libssl/interop/openssl/Makefile
+++ b/src/regress/lib/libssl/interop/openssl/Makefile
@@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.4 2018/11/09 06:30:41 bluhm Exp $
+# $OpenBSD: Makefile,v 1.5 2018/11/10 08:33:45 bluhm Exp $
 .if ! exists(/usr/local/bin/eopenssl)
 regress:
-        # install openssl-1.0.2p from ports for interop tests
+        # install openssl-1.0.2 from ports for interop tests
        @echo SKIPPED
 .endif
diff --git a/src/regress/lib/libssl/interop/openssl11/Makefile b/src/regress/lib/libssl/interop/openssl11/Makefile
index ec6f6db7ec..ef625dffb8 100644
--- a/src/regress/lib/libssl/interop/openssl11/Makefile
+++ b/src/regress/lib/libssl/interop/openssl11/Makefile
@@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.3 2018/11/09 06:30:41 bluhm Exp $
+# $OpenBSD: Makefile,v 1.4 2018/11/10 08:33:45 bluhm Exp $
 .if ! exists(/usr/local/bin/eopenssl11)
 regress:
-        # install openssl-1.1.1 from ports for interop tests
+        # install openssl-1.1 from ports for interop tests
        @echo SKIPPED
 .endif
diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c
index 6c0c720dfe..f50f368bb1 100644
--- a/src/regress/lib/libssl/interop/server.c
+++ b/src/regress/lib/libssl/interop/server.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: server.c,v 1.4 2018/11/09 06:30:41 bluhm Exp $        */
+/*      $OpenBSD: server.c,v 1.5 2018/11/10 08:33:45 bluhm Exp $        */
 /*
 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
 *
@@ -21,6 +21,7 @@
 #include <err.h>
 #include <netdb.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
@@ -35,7 +36,7 @@ void __dead
 usage(void)
 {
        fprintf(stderr,
-            "usage: server [-vv] [-C CA] [-c crt -k key] [host port]");
+            "usage: server [-svv] [-C CA] [-c crt -k key] [host port]");
        exit(2);
 }
@@ -45,14 +46,14 @@ main(int argc, char *argv[])
        const SSL_METHOD *method;
        SSL_CTX *ctx;
        SSL *ssl;
-        BIO *bio;
+        BIO *abio, *cbio;
        SSL_SESSION *session;
-        int error, verify = 0;
+        int error, sessionreuse = 0, verify = 0;
        char buf[256], ch;
        char *ca = NULL, *crt = NULL, *key = NULL;
        char *host_port, *host = "127.0.0.1", *port = "0";
-        while ((ch = getopt(argc, argv, "C:c:k:v")) != -1) {
+        while ((ch = getopt(argc, argv, "C:c:k:sv")) != -1) {
                switch (ch) {
                case 'C':
                        ca = optarg;
@@ -63,6 +64,10 @@ main(int argc, char *argv[])
                case 'k':
                        key = optarg;
                        break;
+                case 's':
+                        /* multiple reueses are possible */
+                        sessionreuse++;
+                        break;
                case 'v':
                        /* use twice to force client cert */
                        verify++;
@@ -136,74 +141,94 @@ main(int argc, char *argv[])
            SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
            verify_callback);
-        /* setup ssl and bio for socket operations */
+        if (sessionreuse) {
-        ssl = SSL_new(ctx);
+                uint32_t context;
-        if (ssl == NULL)
-                err_ssl(1, "SSL_new");
+                SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
-        bio = BIO_new_accept(host_port);
+                context = arc4random();
-        if (bio == NULL)
+                if (SSL_CTX_set_session_id_context(ctx,
+                    (unsigned char *)&context, sizeof(context)) <= 0)
+                        err_ssl(1, "SSL_CTX_set_session_id_context");
+        }
+        /* setup bio for socket operations */
+        abio = BIO_new_accept(host_port);
+        if (abio == NULL)
                err_ssl(1, "BIO_new_accept");
-        print_ciphers(SSL_get_ciphers(ssl));
        /* bind, listen */
-        if (BIO_do_accept(bio) <= 0)
+        if (BIO_do_accept(abio) <= 0)
                err_ssl(1, "BIO_do_accept setup");
        printf("listen ");
-        print_sockname(bio);
+        print_sockname(abio);
-        /* fork to background, set timeout, and accept */
+        /* fork to background and set timeout */
        if (daemon(1, 1) == -1)
                err(1, "daemon");
-        if ((int)alarm(60) == -1)
+        if ((int)alarm(10) == -1)
                err(1, "alarm");
-        if (BIO_do_accept(bio) <= 0)
-                err_ssl(1, "BIO_do_accept wait");
-        bio = BIO_pop(bio);
-        printf("accept ");
-        print_sockname(bio);
-        printf("accept ");
-        print_peername(bio);
-        /* do ssl server handshake */
-        SSL_set_bio(ssl, bio, bio);
-        if ((error = SSL_accept(ssl)) <= 0)
-                err_ssl(1, "SSL_accept %d", error);
-        /* print session statistics */
-        session = SSL_get_session(ssl);
-        if (session == NULL)
-                err_ssl(1, "SSL_get_session");
-        if (SSL_SESSION_print_fp(stdout, session) <= 0)
-                err_ssl(1, "SSL_SESSION_print_fp");
-        /* write server greeting and read client hello over TLS connection */
-        strlcpy(buf, "greeting\n", sizeof(buf));
-        printf(">>> %s", buf);
-        if (fflush(stdout) != 0)
-                err(1, "fflush stdout");
-        if ((error = SSL_write(ssl, buf, 9)) <= 0)
-                err_ssl(1, "SSL_write %d", error);
-        if (error != 9)
-                errx(1, "write not 9 bytes greeting: %d", error);
-        if ((error = SSL_read(ssl, buf, 6)) <= 0)
-                err_ssl(1, "SSL_read %d", error);
-        if (error != 6)
-                errx(1, "read not 6 bytes hello: %d", error);
-        buf[6] = '\0';
-        printf("<<< %s", buf);
-        if (fflush(stdout) != 0)
-                err(1, "fflush stdout");
-        /* shutdown connection */
-        if ((error = SSL_shutdown(ssl)) < 0)
-                err_ssl(1, "SSL_shutdown unidirectional %d", error);
-        if (error <= 0) {
-                if ((error = SSL_shutdown(ssl)) <= 0)
-                        err_ssl(1, "SSL_shutdown bidirectional %d", error);
-        }
-        /* cleanup and free resources */
+        do {
-        SSL_free(ssl);
+                /* accept connection */
+                if (BIO_do_accept(abio) <= 0)
+                        err_ssl(1, "BIO_do_accept wait");
+                cbio = BIO_pop(abio);
+                printf("accept ");
+                print_sockname(cbio);
+                printf("accept ");
+                print_peername(cbio);
+                /* do ssl server handshake */
+                ssl = SSL_new(ctx);
+                if (ssl == NULL)
+                        err_ssl(1, "SSL_new");
+                print_ciphers(SSL_get_ciphers(ssl));
+                SSL_set_bio(ssl, cbio, cbio);
+                if ((error = SSL_accept(ssl)) <= 0)
+                        err_ssl(1, "SSL_accept %d", error);
+                printf("session %d: %s\n", sessionreuse,
+                    SSL_session_reused(ssl) ? "reuse" : "new");
+                if (fflush(stdout) != 0)
+                        err(1, "fflush stdout");
+                /* print session statistics */
+                session = SSL_get_session(ssl);
+                if (session == NULL)
+                        err_ssl(1, "SSL_get_session");
+                if (SSL_SESSION_print_fp(stdout, session) <= 0)
+                        err_ssl(1, "SSL_SESSION_print_fp");
+                /* write server greeting and read client hello over TLS */
+                strlcpy(buf, "greeting\n", sizeof(buf));
+                printf(">>> %s", buf);
+                if (fflush(stdout) != 0)
+                        err(1, "fflush stdout");
+                if ((error = SSL_write(ssl, buf, 9)) <= 0)
+                        err_ssl(1, "SSL_write %d", error);
+                if (error != 9)
+                        errx(1, "write not 9 bytes greeting: %d", error);
+                if ((error = SSL_read(ssl, buf, 6)) <= 0)
+                        err_ssl(1, "SSL_read %d", error);
+                if (error != 6)
+                        errx(1, "read not 6 bytes hello: %d", error);
+                buf[6] = '\0';
+                printf("<<< %s", buf);
+                if (fflush(stdout) != 0)
+                        err(1, "fflush stdout");
+                /* shutdown connection */
+                if ((error = SSL_shutdown(ssl)) < 0)
+                        err_ssl(1, "SSL_shutdown unidirectional %d", error);
+                if (error <= 0) {
+                        if ((error = SSL_shutdown(ssl)) <= 0)
+                                err_ssl(1, "SSL_shutdown bidirectional %d",
+                                    error);
+                }
+                SSL_free(ssl);
+        } while (sessionreuse--);
        SSL_CTX_free(ctx);
        printf("success\n");
diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile
new file mode 100644
index 0000000000..a555f133fb
--- /dev/null
+++ b/src/regress/lib/libssl/interop/session/Makefile
@@ -0,0 +1,37 @@
+# $OpenBSD: Makefile,v 1.1 2018/11/10 08:33:45 bluhm Exp $
+run-client-openssl11-reuse-server-openssl11-reuse:
+        @echo '\n======== $@ ========'
+        # TLS 1.3 needs some extra setup for session reuse
+        @echo DISABLED
+CLEANFILES +=           *.out
+.for clib in libressl openssl openssl11
+.for slib in libressl openssl openssl11
+REGRESS_TARGETS +=      run-client-${clib}-reuse-server-${slib}-reuse
+run-client-${clib}-reuse-server-${slib}-reuse: 127.0.0.1.crt
+        @echo '\n======== $@ ========'
+        LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
+            ../${slib}/server >server-${slib}-reuse.out \
+            -ss \
+            127.0.0.1 0
+        LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
+            ../${clib}/client >client-${clib}-reuse.out \
+            -ss \
+            `sed -n 's/listen sock: //p' server-${slib}-reuse.out`
+        grep '^success$$' server-${slib}-reuse.out
+        grep '^success$$' client-${clib}-reuse.out
+        grep '^session 2: new$$' server-${slib}-reuse.out
+        grep '^session 2: new$$' client-${clib}-reuse.out
+        grep '^session 1: reuse$$' server-${slib}-reuse.out
+        grep '^session 1: reuse$$' client-${clib}-reuse.out
+        grep '^session 0: reuse$$' server-${slib}-reuse.out
+        grep '^session 0: reuse$$' client-${clib}-reuse.out
+.endfor
+.endfor
+.include <bsd.regress.mk>

diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile index 0226cae4ab..f538f87366 100644 --- a/src/regress/lib/libssl/interop/Makefile +++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,5 +1,8 @@
1	# $OpenBSD: Makefile,v 1.3 2018/11/09 06:30:41 bluhm Exp $	1	# $OpenBSD: Makefile,v 1.4 2018/11/10 08:33:45 bluhm Exp $
2		2
3	SUBDIR = libressl openssl openssl11 cert	3	SUBDIR = libressl openssl openssl11
		4	# the above binaries must have been built before we can continue
		5	SUBDIR += session
		6	SUBDIR += cert
4		7
5	.include <bsd.subdir.mk>	8	.include <bsd.subdir.mk>


diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c index c312d7ae8a..0b5827c447 100644 --- a/src/regress/lib/libssl/interop/client.c +++ b/src/regress/lib/libssl/interop/client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: client.c,v 1.4 2018/11/09 06:30:41 bluhm Exp $ */	1	/* $OpenBSD: client.c,v 1.5 2018/11/10 08:33:45 bluhm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>	3	* Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
4	*	4	*
@@ -35,7 +35,7 @@ void __dead
35	usage(void)	35	usage(void)
36	{	36	{
37	fprintf(stderr,	37	fprintf(stderr,
38	"usage: client [-c] [-C CA] [-c crt -k key] host port");	38	"usage: client [-sv] [-C CA] [-c crt -k key] host port");
39	exit(2);	39	exit(2);
40	}	40	}
41		41
@@ -46,13 +46,13 @@ main(int argc, char *argv[])
46	SSL_CTX *ctx;	46	SSL_CTX *ctx;
47	SSL *ssl;	47	SSL *ssl;
48	BIO *bio;	48	BIO *bio;
49	SSL_SESSION *session;	49	SSL_SESSION *session = NULL;
50	int error, verify = 0;	50	int error, sessionreuse = 0, verify = 0;
51	char buf[256], ch;	51	char buf[256], ch;
52	char ca = NULL, crt = NULL, *key = NULL;	52	char ca = NULL, crt = NULL, *key = NULL;
53	char host_port, host, *port;	53	char host_port, host, *port;
54		54
55	while ((ch = getopt(argc, argv, "C:c:k:v")) != -1) {	55	while ((ch = getopt(argc, argv, "C:c:k:sv")) != -1) {
56	switch (ch) {	56	switch (ch) {
57	case 'C':	57	case 'C':
58	ca = optarg;	58	ca = optarg;
@@ -63,6 +63,10 @@ main(int argc, char *argv[])
63	case 'k':	63	case 'k':
64	key = optarg;	64	key = optarg;
65	break;	65	break;
		66	case 's':
		67	/* multiple reueses are possible */
		68	sessionreuse++;
		69	break;
66	case 'v':	70	case 'v':
67	verify = 1;	71	verify = 1;
68	break;	72	break;
@@ -122,63 +126,85 @@ main(int argc, char *argv[])
122	SSL_CTX_set_verify(ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,	126	SSL_CTX_set_verify(ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
123	verify_callback);	127	verify_callback);
124		128
125	/* setup ssl and bio for socket operations */	129	if (sessionreuse) {
126	ssl = SSL_new(ctx);	130	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
127	if (ssl == NULL)
128	err_ssl(1, "SSL_new");
129	bio = BIO_new_connect(host_port);
130	if (bio == NULL)
131	err_ssl(1, "BIO_new_connect");
132	print_ciphers(SSL_get_ciphers(ssl));
133
134	/* connect */
135	if (BIO_do_connect(bio) <= 0)
136	err_ssl(1, "BIO_do_connect");
137	printf("connect ");
138	print_sockname(bio);
139	printf("connect ");
140	print_peername(bio);
141
142	/* do ssl client handshake */
143	SSL_set_bio(ssl, bio, bio);
144	if ((error = SSL_connect(ssl)) <= 0)
145	err_ssl(1, "SSL_connect %d", error);
146
147	/* print session statistics */
148	session = SSL_get_session(ssl);
149	if (session == NULL)
150	err_ssl(1, "SSL_get_session");
151	if (SSL_SESSION_print_fp(stdout, session) <= 0)
152	err_ssl(1, "SSL_SESSION_print_fp");
153
154	/* read server greeting and write client hello over TLS connection */
155	if ((error = SSL_read(ssl, buf, 9)) <= 0)
156	err_ssl(1, "SSL_read %d", error);
157	if (error != 9)
158	errx(1, "read not 9 bytes greeting: %d", error);
159	buf[9] = '\0';
160	printf("<<< %s", buf);
161	if (fflush(stdout) != 0)
162	err(1, "fflush stdout");
163	strlcpy(buf, "hello\n", sizeof(buf));
164	printf(">>> %s", buf);
165	if (fflush(stdout) != 0)
166	err(1, "fflush stdout");
167	if ((error = SSL_write(ssl, buf, 6)) <= 0)
168	err_ssl(1, "SSL_write %d", error);
169	if (error != 6)
170	errx(1, "write not 6 bytes hello: %d", error);
171
172	/* shutdown connection */
173	if ((error = SSL_shutdown(ssl)) < 0)
174	err_ssl(1, "SSL_shutdown unidirectional %d", error);
175	if (error <= 0) {
176	if ((error = SSL_shutdown(ssl)) <= 0)
177	err_ssl(1, "SSL_shutdown bidirectional %d", error);
178	}	131	}
179		132
180	/* cleanup and free resources */	133	do {
181	SSL_free(ssl);	134	/* setup bio for socket operations */
		135	bio = BIO_new_connect(host_port);
		136	if (bio == NULL)
		137	err_ssl(1, "BIO_new_connect");
		138
		139	/* connect */
		140	if (BIO_do_connect(bio) <= 0)
		141	err_ssl(1, "BIO_do_connect");
		142	printf("connect ");
		143	print_sockname(bio);
		144	printf("connect ");
		145	print_peername(bio);
		146
		147	/* do ssl client handshake */
		148	ssl = SSL_new(ctx);
		149	if (ssl == NULL)
		150	err_ssl(1, "SSL_new");
		151	print_ciphers(SSL_get_ciphers(ssl));
		152	SSL_set_bio(ssl, bio, bio);
		153	/* resuse session if possible */
		154	if (session != NULL) {
		155	if (SSL_set_session(ssl, session) <= 0)
		156	err_ssl(1, "SSL_set_session");
		157	}
		158	if ((error = SSL_connect(ssl)) <= 0)
		159	err_ssl(1, "SSL_connect %d", error);
		160	printf("session %d: %s\n", sessionreuse,
		161	SSL_session_reused(ssl) ? "reuse" : "new");
		162	if (fflush(stdout) != 0)
		163	err(1, "fflush stdout");
		164
		165	/* print session statistics */
		166	if (sessionreuse) {
		167	session = SSL_get1_session(ssl);
		168	if (session == NULL)
		169	err_ssl(1, "SSL1_get_session");
		170	} else {
		171	session = SSL_get_session(ssl);
		172	if (session == NULL)
		173	err_ssl(1, "SSL_get_session");
		174	}
		175	if (SSL_SESSION_print_fp(stdout, session) <= 0)
		176	err_ssl(1, "SSL_SESSION_print_fp");
		177
		178	/* read server greeting and write client hello over TLS */
		179	if ((error = SSL_read(ssl, buf, 9)) <= 0)
		180	err_ssl(1, "SSL_read %d", error);
		181	if (error != 9)
		182	errx(1, "read not 9 bytes greeting: %d", error);
		183	buf[9] = '\0';
		184	printf("<<< %s", buf);
		185	if (fflush(stdout) != 0)
		186	err(1, "fflush stdout");
		187	strlcpy(buf, "hello\n", sizeof(buf));
		188	printf(">>> %s", buf);
		189	if (fflush(stdout) != 0)
		190	err(1, "fflush stdout");
		191	if ((error = SSL_write(ssl, buf, 6)) <= 0)
		192	err_ssl(1, "SSL_write %d", error);
		193	if (error != 6)
		194	errx(1, "write not 6 bytes hello: %d", error);
		195
		196	/* shutdown connection */
		197	if ((error = SSL_shutdown(ssl)) < 0)
		198	err_ssl(1, "SSL_shutdown unidirectional %d", error);
		199	if (error <= 0) {
		200	if ((error = SSL_shutdown(ssl)) <= 0)
		201	err_ssl(1, "SSL_shutdown bidirectional %d",
		202	error);
		203	}
		204
		205	SSL_free(ssl);
		206	} while (sessionreuse--);
		207
182	SSL_CTX_free(ctx);	208	SSL_CTX_free(ctx);
183		209
184	printf("success\n");	210	printf("success\n");


diff --git a/src/regress/lib/libssl/interop/openssl/Makefile b/src/regress/lib/libssl/interop/openssl/Makefile index 5c51c029ce..80f313da3e 100644 --- a/src/regress/lib/libssl/interop/openssl/Makefile +++ b/src/regress/lib/libssl/interop/openssl/Makefile
@@ -1,8 +1,8 @@
1	# $OpenBSD: Makefile,v 1.4 2018/11/09 06:30:41 bluhm Exp $	1	# $OpenBSD: Makefile,v 1.5 2018/11/10 08:33:45 bluhm Exp $
2		2
3	.if ! exists(/usr/local/bin/eopenssl)	3	.if ! exists(/usr/local/bin/eopenssl)
4	regress:	4	regress:
5	# install openssl-1.0.2p from ports for interop tests	5	# install openssl-1.0.2 from ports for interop tests
6	@echo SKIPPED	6	@echo SKIPPED
7	.endif	7	.endif
8		8


diff --git a/src/regress/lib/libssl/interop/openssl11/Makefile b/src/regress/lib/libssl/interop/openssl11/Makefile index ec6f6db7ec..ef625dffb8 100644 --- a/src/regress/lib/libssl/interop/openssl11/Makefile +++ b/src/regress/lib/libssl/interop/openssl11/Makefile
@@ -1,8 +1,8 @@
1	# $OpenBSD: Makefile,v 1.3 2018/11/09 06:30:41 bluhm Exp $	1	# $OpenBSD: Makefile,v 1.4 2018/11/10 08:33:45 bluhm Exp $
2		2
3	.if ! exists(/usr/local/bin/eopenssl11)	3	.if ! exists(/usr/local/bin/eopenssl11)
4	regress:	4	regress:
5	# install openssl-1.1.1 from ports for interop tests	5	# install openssl-1.1 from ports for interop tests
6	@echo SKIPPED	6	@echo SKIPPED
7	.endif	7	.endif
8		8


diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c index 6c0c720dfe..f50f368bb1 100644 --- a/src/regress/lib/libssl/interop/server.c +++ b/src/regress/lib/libssl/interop/server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: server.c,v 1.4 2018/11/09 06:30:41 bluhm Exp $ */	1	/* $OpenBSD: server.c,v 1.5 2018/11/10 08:33:45 bluhm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>	3	* Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
4	*	4	*
@@ -21,6 +21,7 @@
21	#include <err.h>	21	#include <err.h>
22	#include <netdb.h>	22	#include <netdb.h>
23	#include <stdio.h>	23	#include <stdio.h>
		24	#include <stdlib.h>
24	#include <string.h>	25	#include <string.h>
25	#include <unistd.h>	26	#include <unistd.h>
26		27
@@ -35,7 +36,7 @@ void __dead
35	usage(void)	36	usage(void)
36	{	37	{
37	fprintf(stderr,	38	fprintf(stderr,
38	"usage: server [-vv] [-C CA] [-c crt -k key] [host port]");	39	"usage: server [-svv] [-C CA] [-c crt -k key] [host port]");
39	exit(2);	40	exit(2);
40	}	41	}
41		42
@@ -45,14 +46,14 @@ main(int argc, char *argv[])
45	const SSL_METHOD *method;	46	const SSL_METHOD *method;
46	SSL_CTX *ctx;	47	SSL_CTX *ctx;
47	SSL *ssl;	48	SSL *ssl;
48	BIO *bio;	49	BIO abio, cbio;
49	SSL_SESSION *session;	50	SSL_SESSION *session;
50	int error, verify = 0;	51	int error, sessionreuse = 0, verify = 0;
51	char buf[256], ch;	52	char buf[256], ch;
52	char ca = NULL, crt = NULL, *key = NULL;	53	char ca = NULL, crt = NULL, *key = NULL;
53	char host_port, host = "127.0.0.1", *port = "0";	54	char host_port, host = "127.0.0.1", *port = "0";
54		55
55	while ((ch = getopt(argc, argv, "C:c:k:v")) != -1) {	56	while ((ch = getopt(argc, argv, "C:c:k:sv")) != -1) {
56	switch (ch) {	57	switch (ch) {
57	case 'C':	58	case 'C':
58	ca = optarg;	59	ca = optarg;
@@ -63,6 +64,10 @@ main(int argc, char *argv[])
63	case 'k':	64	case 'k':
64	key = optarg;	65	key = optarg;
65	break;	66	break;
		67	case 's':
		68	/* multiple reueses are possible */
		69	sessionreuse++;
		70	break;
66	case 'v':	71	case 'v':
67	/* use twice to force client cert */	72	/* use twice to force client cert */
68	verify++;	73	verify++;
@@ -136,74 +141,94 @@ main(int argc, char *argv[])
136	SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT,	141	SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
137	verify_callback);	142	verify_callback);
138		143
139	/* setup ssl and bio for socket operations */	144	if (sessionreuse) {
140	ssl = SSL_new(ctx);	145	uint32_t context;
141	if (ssl == NULL)	146
142	err_ssl(1, "SSL_new");	147	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
143	bio = BIO_new_accept(host_port);	148	context = arc4random();
144	if (bio == NULL)	149	if (SSL_CTX_set_session_id_context(ctx,
		150	(unsigned char *)&context, sizeof(context)) <= 0)
		151	err_ssl(1, "SSL_CTX_set_session_id_context");
		152	}
		153
		154	/* setup bio for socket operations */
		155	abio = BIO_new_accept(host_port);
		156	if (abio == NULL)
145	err_ssl(1, "BIO_new_accept");	157	err_ssl(1, "BIO_new_accept");
146	print_ciphers(SSL_get_ciphers(ssl));
147		158
148	/* bind, listen */	159	/* bind, listen */
149	if (BIO_do_accept(bio) <= 0)	160	if (BIO_do_accept(abio) <= 0)
150	err_ssl(1, "BIO_do_accept setup");	161	err_ssl(1, "BIO_do_accept setup");
151	printf("listen ");	162	printf("listen ");
152	print_sockname(bio);	163	print_sockname(abio);
153		164
154	/* fork to background, set timeout, and accept */	165	/* fork to background and set timeout */
155	if (daemon(1, 1) == -1)	166	if (daemon(1, 1) == -1)
156	err(1, "daemon");	167	err(1, "daemon");
157	if ((int)alarm(60) == -1)	168	if ((int)alarm(10) == -1)
158	err(1, "alarm");	169	err(1, "alarm");
159	if (BIO_do_accept(bio) <= 0)
160	err_ssl(1, "BIO_do_accept wait");
161	bio = BIO_pop(bio);
162	printf("accept ");
163	print_sockname(bio);
164	printf("accept ");
165	print_peername(bio);
166
167	/* do ssl server handshake */
168	SSL_set_bio(ssl, bio, bio);
169	if ((error = SSL_accept(ssl)) <= 0)
170	err_ssl(1, "SSL_accept %d", error);
171
172	/* print session statistics */
173	session = SSL_get_session(ssl);
174	if (session == NULL)
175	err_ssl(1, "SSL_get_session");
176	if (SSL_SESSION_print_fp(stdout, session) <= 0)
177	err_ssl(1, "SSL_SESSION_print_fp");
178
179	/* write server greeting and read client hello over TLS connection */
180	strlcpy(buf, "greeting\n", sizeof(buf));
181	printf(">>> %s", buf);
182	if (fflush(stdout) != 0)
183	err(1, "fflush stdout");
184	if ((error = SSL_write(ssl, buf, 9)) <= 0)
185	err_ssl(1, "SSL_write %d", error);
186	if (error != 9)
187	errx(1, "write not 9 bytes greeting: %d", error);
188	if ((error = SSL_read(ssl, buf, 6)) <= 0)
189	err_ssl(1, "SSL_read %d", error);
190	if (error != 6)
191	errx(1, "read not 6 bytes hello: %d", error);
192	buf[6] = '\0';
193	printf("<<< %s", buf);
194	if (fflush(stdout) != 0)
195	err(1, "fflush stdout");
196
197	/* shutdown connection */
198	if ((error = SSL_shutdown(ssl)) < 0)
199	err_ssl(1, "SSL_shutdown unidirectional %d", error);
200	if (error <= 0) {
201	if ((error = SSL_shutdown(ssl)) <= 0)
202	err_ssl(1, "SSL_shutdown bidirectional %d", error);
203	}
204		170
205	/* cleanup and free resources */	171	do {
206	SSL_free(ssl);	172	/* accept connection */
		173	if (BIO_do_accept(abio) <= 0)
		174	err_ssl(1, "BIO_do_accept wait");
		175	cbio = BIO_pop(abio);
		176	printf("accept ");
		177	print_sockname(cbio);
		178	printf("accept ");
		179	print_peername(cbio);
		180
		181	/* do ssl server handshake */
		182	ssl = SSL_new(ctx);
		183	if (ssl == NULL)
		184	err_ssl(1, "SSL_new");
		185	print_ciphers(SSL_get_ciphers(ssl));
		186	SSL_set_bio(ssl, cbio, cbio);
		187	if ((error = SSL_accept(ssl)) <= 0)
		188	err_ssl(1, "SSL_accept %d", error);
		189	printf("session %d: %s\n", sessionreuse,
		190	SSL_session_reused(ssl) ? "reuse" : "new");
		191	if (fflush(stdout) != 0)
		192	err(1, "fflush stdout");
		193
		194
		195	/* print session statistics */
		196	session = SSL_get_session(ssl);
		197	if (session == NULL)
		198	err_ssl(1, "SSL_get_session");
		199	if (SSL_SESSION_print_fp(stdout, session) <= 0)
		200	err_ssl(1, "SSL_SESSION_print_fp");
		201
		202	/* write server greeting and read client hello over TLS */
		203	strlcpy(buf, "greeting\n", sizeof(buf));
		204	printf(">>> %s", buf);
		205	if (fflush(stdout) != 0)
		206	err(1, "fflush stdout");
		207	if ((error = SSL_write(ssl, buf, 9)) <= 0)
		208	err_ssl(1, "SSL_write %d", error);
		209	if (error != 9)
		210	errx(1, "write not 9 bytes greeting: %d", error);
		211	if ((error = SSL_read(ssl, buf, 6)) <= 0)
		212	err_ssl(1, "SSL_read %d", error);
		213	if (error != 6)
		214	errx(1, "read not 6 bytes hello: %d", error);
		215	buf[6] = '\0';
		216	printf("<<< %s", buf);
		217	if (fflush(stdout) != 0)
		218	err(1, "fflush stdout");
		219
		220	/* shutdown connection */
		221	if ((error = SSL_shutdown(ssl)) < 0)
		222	err_ssl(1, "SSL_shutdown unidirectional %d", error);
		223	if (error <= 0) {
		224	if ((error = SSL_shutdown(ssl)) <= 0)
		225	err_ssl(1, "SSL_shutdown bidirectional %d",
		226	error);
		227	}
		228
		229	SSL_free(ssl);
		230	} while (sessionreuse--);
		231
207	SSL_CTX_free(ctx);	232	SSL_CTX_free(ctx);
208		233
209	printf("success\n");	234	printf("success\n");


diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile new file mode 100644 index 0000000000..a555f133fb --- /dev/null +++ b/src/regress/lib/libssl/interop/session/Makefile
@@ -0,0 +1,37 @@
		1	# $OpenBSD: Makefile,v 1.1 2018/11/10 08:33:45 bluhm Exp $
		2
		3	run-client-openssl11-reuse-server-openssl11-reuse:
		4	@echo '\n======== $@ ========'
		5	# TLS 1.3 needs some extra setup for session reuse
		6	@echo DISABLED
		7
		8	CLEANFILES += *.out
		9
		10	.for clib in libressl openssl openssl11
		11	.for slib in libressl openssl openssl11
		12
		13	REGRESS_TARGETS += run-client-${clib}-reuse-server-${slib}-reuse
		14
		15	run-client-${clib}-reuse-server-${slib}-reuse: 127.0.0.1.crt
		16	@echo '\n======== $@ ========'
		17	LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
		18	../${slib}/server >server-${slib}-reuse.out \
		19	-ss \
		20	127.0.0.1 0
		21	LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
		22	../${clib}/client >client-${clib}-reuse.out \
		23	-ss \
		24	`sed -n 's/listen sock: //p' server-${slib}-reuse.out`
		25	grep '^success$$' server-${slib}-reuse.out
		26	grep '^success$$' client-${clib}-reuse.out
		27	grep '^session 2: new$$' server-${slib}-reuse.out
		28	grep '^session 2: new$$' client-${clib}-reuse.out
		29	grep '^session 1: reuse$$' server-${slib}-reuse.out
		30	grep '^session 1: reuse$$' client-${clib}-reuse.out
		31	grep '^session 0: reuse$$' server-${slib}-reuse.out
		32	grep '^session 0: reuse$$' client-${clib}-reuse.out
		33
		34	.endfor
		35	.endfor
		36
		37	.include <bsd.regress.mk>