summaryrefslogtreecommitdiff
path: root/src/regress/lib/libssl/interop
diff options
context:
space:
mode:
Diffstat (limited to 'src/regress/lib/libssl/interop')
-rw-r--r--src/regress/lib/libssl/interop/LICENSE15
-rw-r--r--src/regress/lib/libssl/interop/Makefile10
-rw-r--r--src/regress/lib/libssl/interop/Makefile.inc91
-rw-r--r--src/regress/lib/libssl/interop/README22
-rw-r--r--src/regress/lib/libssl/interop/cert/Makefile84
-rw-r--r--src/regress/lib/libssl/interop/cipher/Makefile175
-rw-r--r--src/regress/lib/libssl/interop/client.c232
-rw-r--r--src/regress/lib/libssl/interop/libressl/Makefile37
-rw-r--r--src/regress/lib/libssl/interop/netcat/Makefile90
-rw-r--r--src/regress/lib/libssl/interop/openssl/Makefile43
-rw-r--r--src/regress/lib/libssl/interop/openssl11/Makefile43
-rw-r--r--src/regress/lib/libssl/interop/server.c279
-rw-r--r--src/regress/lib/libssl/interop/session/Makefile45
-rw-r--r--src/regress/lib/libssl/interop/util.c145
-rw-r--r--src/regress/lib/libssl/interop/util.h23
15 files changed, 0 insertions, 1334 deletions
diff --git a/src/regress/lib/libssl/interop/LICENSE b/src/regress/lib/libssl/interop/LICENSE
deleted file mode 100644
index 838e7f45cc..0000000000
--- a/src/regress/lib/libssl/interop/LICENSE
+++ /dev/null
@@ -1,15 +0,0 @@
1/*
2 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
deleted file mode 100644
index 36b233c189..0000000000
--- a/src/regress/lib/libssl/interop/Makefile
+++ /dev/null
@@ -1,10 +0,0 @@
1# $OpenBSD: Makefile,v 1.6 2019/02/21 23:06:33 bluhm Exp $
2
3SUBDIR = libressl openssl openssl11
4# the above binaries must have been built before we can continue
5SUBDIR += netcat
6SUBDIR += session
7SUBDIR += cipher
8SUBDIR += cert
9
10.include <bsd.subdir.mk>
diff --git a/src/regress/lib/libssl/interop/Makefile.inc b/src/regress/lib/libssl/interop/Makefile.inc
deleted file mode 100644
index dfe1424949..0000000000
--- a/src/regress/lib/libssl/interop/Makefile.inc
+++ /dev/null
@@ -1,91 +0,0 @@
1# $OpenBSD: Makefile.inc,v 1.6 2019/02/21 23:06:33 bluhm Exp $
2
3.PATH: ${.CURDIR}/..
4
5SRCS_client = client.c util.c
6SRCS_server = server.c util.c
7WARNINGS = yes
8CLEANFILES += *.out *.fstat
9
10.for p in ${PROGS}
11ldd-$p.out: $p
12 # programs must be linked with correct libraries
13 LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ldd $p >$@
14.endfor
15
16client-self.out server-self.out: run-self-client-server
17
18run-self-client-server: client server 127.0.0.1.crt
19 @echo '\n======== $@ ========'
20 # check that tls client and server work together
21 LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \
22 ./server >server-self.out \
23 127.0.0.1 0
24 LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \
25 ./client >client-self.out \
26 `sed -n 's/listen sock: //p' server-self.out`
27 # check that the client run successfully to the end
28 grep -q '^success$$' client-self.out
29 # client must have read server greeting
30 grep -q '^<<< greeting$$' client-self.out
31 # check that the server child run successfully to the end
32 grep -q '^success$$' server-self.out
33 # server must have read client hello
34 grep -q '^<<< hello$$' server-self.out
35
36# create certificates for TLS
37
38CLEANFILES += 127.0.0.1.{crt,key} \
39 ca.{crt,key,srl} fake-ca.{crt,key} \
40 {client,server}.{req,crt,key} \
41 {dsa,ec,gost,rsa}.{key,req,crt} \
42 dh.param
43
44127.0.0.1.crt:
45 openssl req -batch -new \
46 -subj /L=OpenBSD/O=tls-regress/OU=server/CN=127.0.0.1/ \
47 -nodes -newkey rsa -keyout 127.0.0.1.key -x509 -out $@
48
49ca.crt fake-ca.crt:
50 openssl req -batch -new \
51 -subj /L=OpenBSD/O=tls-regress/OU=ca/CN=root/ \
52 -nodes -newkey rsa -keyout ${@:R}.key -x509 -out $@
53
54client.req server.req:
55 openssl req -batch -new \
56 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
57 -nodes -newkey rsa -keyout ${@:R}.key -out $@
58
59client.crt server.crt: ca.crt ${@:R}.req
60 openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \
61 -req -in ${@:R}.req -out $@
62
63dh.param:
64 openssl dhparam -out $@ 1024
65
66dsa.key:
67 openssl dsaparam -genkey -out $@ 2048
68
69ec.key:
70 openssl ecparam -genkey -name secp256r1 -out $@
71
72gost.key:
73 openssl genpkey -algorithm gost2001 \
74 -pkeyopt paramset:A -pkeyopt dgst:md_gost94 -out $@
75
76rsa.key:
77 openssl genrsa -out $@ 2048
78
79dsa.req ec.req rsa.req: ${@:R}.key
80 openssl req -batch -new \
81 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
82 -nodes -key ${@:R}.key -out $@
83
84gost.req: ${@:R}.key
85 openssl req -batch -new -md_gost94 \
86 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
87 -nodes -key ${@:R}.key -out $@
88
89dsa.crt ec.crt gost.crt rsa.crt: ca.crt ${@:R}.req
90 openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \
91 -req -in ${@:R}.req -out $@
diff --git a/src/regress/lib/libssl/interop/README b/src/regress/lib/libssl/interop/README
deleted file mode 100644
index 54910e554d..0000000000
--- a/src/regress/lib/libssl/interop/README
+++ /dev/null
@@ -1,22 +0,0 @@
1Test TLS interoperability between LibreSSL and OpenSSL.
2
3Implement simple SSL client and server in C. Create six binaries
4by linking them with LibreSSL or OpenSSL 1.0.2 or OpenSSL 1.1. This
5way API compatibility is tested.
6
7To self test each SSL library, connect client with server. Check
8that the highest available TLS version is selected. LibreSSL TLS
91.3 check has to be enabled when the feature becomes available.
10
11Currently OpenSSL 1.0.2p and OpenSSL 1.1.1 from ports are used. As
12soon as LibreSSL supports TLS 1.3, it should be used automatically
13when netcat is communicating with OpenSSL 1.1.
14
15Connect and accept with netcat to test protocol compatibility with
16libtls. Test TLS session reuse multiple times with different library
17combinations. The cert subdir is testing all combinations of
18certificate validation. Having the three libraries, client and
19server certificates, missing or invalid CA or certificates, and
20enforcing peer certificate results in 1944 test cases. The cipher
21test establishes connections between implementations for each
22supported cipher.
diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile
deleted file mode 100644
index 11bc4aa2ab..0000000000
--- a/src/regress/lib/libssl/interop/cert/Makefile
+++ /dev/null
@@ -1,84 +0,0 @@
1# $OpenBSD: Makefile,v 1.4 2019/02/21 23:06:33 bluhm Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1. Create client and server certificates
5# that are signed by a CA and not signed by a fake CA. Try all
6# combinations with, without, and with wrong CA for client and server
7# and check the result of certificate verification.
8
9LIBRARIES = libressl
10.if exists(/usr/local/bin/eopenssl)
11LIBRARIES += openssl
12.endif
13.if exists(/usr/local/bin/eopenssl11)
14LIBRARIES += openssl11
15.endif
16
17.for cca in noca ca fakeca
18.for sca in noca ca fakeca
19.for ccert in nocert cert
20.for scert in nocert cert
21.for cv in noverify verify
22.for sv in noverify verify certverify
23
24# remember when certificate verification should fail
25.if (("${cv}" == verify && "${cca}" == ca && "${scert}" == cert) || \
26 "${cv}" == noverify) && \
27 (("${sv}" == verify && "${ccert}" == nocert) || \
28 ("${sv}" == verify && "${sca}" == ca && "${ccert}" == cert) || \
29 ("${sv}" == certverify && "${sca}" == ca && "${ccert}" == cert) || \
30 "${sv}" == noverify)
31FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv} =
32.else
33FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv} = !
34.endif
35
36.for clib in ${LIBRARIES}
37.for slib in ${LIBRARIES}
38
39REGRESS_TARGETS += run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}
40
41run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}: \
42 127.0.0.1.crt ca.crt fake-ca.crt client.crt server.crt \
43 ../${clib}/client ../${slib}/server
44 @echo '\n======== $@ ========'
45 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
46 ../${slib}/server >${@:S/^run/server/}.out \
47 ${sca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \
48 ${scert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \
49 ${sv:S/^noverify//:S/^verify/-v/:S/^certverify/-vv/} \
50 127.0.0.1 0
51 ${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}} \
52 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
53 ../${clib}/client >${@:S/^run/client/}.out \
54 ${cca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \
55 ${ccert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \
56 ${cv:S/^noverify//:S/^verify/-v/} \
57 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
58.if empty(${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}})
59 grep '^success$$' ${@:S/^run/server/}.out || \
60 { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; }
61 grep '^success$$' ${@:S/^run/client/}.out
62.elif ! ("${sv}" == certverify && "${ccert}" == nocert) || \
63 ("${cv}" == verify && "${scert}" != cert)
64 grep '^verify: fail' ${@:S/^run/client/}.out ${@:S/^run/server/}.out
65.endif
66
67.endfor
68.endfor
69.endfor
70.endfor
71.endfor
72.endfor
73.endfor
74.endfor
75
76# argument list too long for a single rm *
77
78clean: _SUBDIRUSE
79 rm -f client-*.out
80 rm -f server-*.out
81 rm -f a.out [Ee]rrs mklog *.core y.tab.h \
82 ${PROG} ${PROGS} ${OBJS} ${_LEXINTM} ${_YACCINTM} ${CLEANFILES}
83
84.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
deleted file mode 100644
index 3f43ce804e..0000000000
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ /dev/null
@@ -1,175 +0,0 @@
1# $OpenBSD: Makefile,v 1.3 2019/03/28 22:24:13 bluhm Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers
5# and pin client and server to one of the ciphers. Use server
6# certificate with compatible type. Check that client and server
7# have used correct cipher by grepping in their session print out.
8
9check-cipher-ADH-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
10check-cipher-ADH-AES128-SHA-client-openssl11-server-openssl11 \
11check-cipher-ADH-AES128-SHA256-client-openssl11-server-openssl11 \
12check-cipher-ADH-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
13check-cipher-ADH-AES256-SHA-client-openssl11-server-openssl11 \
14check-cipher-ADH-AES256-SHA256-client-openssl11-server-openssl11 \
15check-cipher-ADH-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
16check-cipher-ADH-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
17check-cipher-ADH-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
18check-cipher-ADH-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
19check-cipher-AECDH-AES128-SHA-client-openssl11-server-openssl11 \
20check-cipher-AECDH-AES256-SHA-client-openssl11-server-openssl11 \
21check-cipher-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
22check-cipher-AES128-SHA-client-openssl11-server-openssl11 \
23check-cipher-AES128-SHA256-client-openssl11-server-openssl11 \
24check-cipher-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
25check-cipher-AES256-SHA-client-openssl11-server-openssl11 \
26check-cipher-AES256-SHA256-client-openssl11-server-openssl11 \
27check-cipher-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
28check-cipher-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
29check-cipher-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
30check-cipher-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
31check-cipher-DHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
32check-cipher-DHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
33check-cipher-DHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
34check-cipher-DHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
35check-cipher-DHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
36check-cipher-DHE-RSA-AES256-SHA256-client-openssl11-server-openssl11 \
37check-cipher-DHE-RSA-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
38check-cipher-DHE-RSA-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
39check-cipher-DHE-RSA-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
40check-cipher-DHE-RSA-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
41check-cipher-DHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
42check-cipher-ECDHE-ECDSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
43check-cipher-ECDHE-ECDSA-AES128-SHA-client-openssl11-server-openssl11 \
44check-cipher-ECDHE-ECDSA-AES128-SHA256-client-openssl11-server-openssl11 \
45check-cipher-ECDHE-ECDSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
46check-cipher-ECDHE-ECDSA-AES256-SHA-client-openssl11-server-openssl11 \
47check-cipher-ECDHE-ECDSA-AES256-SHA384-client-openssl11-server-openssl11 \
48check-cipher-ECDHE-ECDSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
49check-cipher-ECDHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
50check-cipher-ECDHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
51check-cipher-ECDHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
52check-cipher-ECDHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
53check-cipher-ECDHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
54check-cipher-ECDHE-RSA-AES256-SHA384-client-openssl11-server-openssl11 \
55check-cipher-ECDHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11:
56 # openssl11 always prints TLS_AES_256_GCM_SHA384 as cipher in out file
57 @echo DISABLED
58
59LIBRARIES = libressl
60.if exists(/usr/local/bin/eopenssl)
61LIBRARIES += openssl
62.endif
63.if exists(/usr/local/bin/eopenssl11)
64LIBRARIES += openssl11
65.endif
66
67CLEANFILES = *.tmp *.ciphers ciphers.mk
68
69.for clib in ${LIBRARIES}
70client-${clib}.ciphers:
71 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
72 ../${clib}/client -l ALL -L >$@.tmp
73 sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
74 rm $@.tmp
75.endfor
76.for slib in ${LIBRARIES}
77server-${slib}.ciphers: 127.0.0.1.crt dsa.crt ec.crt rsa.crt
78 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
79 ../${slib}/server -l ALL -L >$@.tmp
80 sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
81 rm $@.tmp
82.endfor
83
84.for clib in ${LIBRARIES}
85.for slib in ${LIBRARIES}
86ciphers.mk: client-${clib}-server-${slib}.ciphers
87client-${clib}-server-${slib}.ciphers: \
88 client-${clib}.ciphers server-${slib}.ciphers client-libressl.ciphers
89 # get ciphers shared between client and server
90 sort client-${clib}.ciphers server-${slib}.ciphers >$@.tmp
91 uniq -d <$@.tmp >$@
92 # we are only interested in ciphers supported by libressl
93 sort $@ client-libressl.ciphers >$@.tmp
94 uniq -d <$@.tmp >$@
95 rm $@.tmp
96.endfor
97.endfor
98
99ciphers.mk:
100 rm -f $@ $@.tmp
101.for clib in ${LIBRARIES}
102.for slib in ${LIBRARIES}
103 echo 'CIPHERS_${clib}_${slib} =' >>$@.tmp \
104 `cat client-${clib}-server-${slib}.ciphers`
105.endfor
106.endfor
107 mv $@.tmp $@
108
109# hack to convert generated lists into usable make variables
110.if exists(ciphers.mk)
111.include "ciphers.mk"
112.else
113regress: ciphers.mk
114 ${MAKE} -C ${.CURDIR} regress
115.endif
116
117LEVEL_libressl =
118LEVEL_openssl =
119LEVEL_openssl11 = ,@SECLEVEL=0
120
121.for clib in ${LIBRARIES}
122.for slib in ${LIBRARIES}
123.for cipher in ${CIPHERS_${clib}_${slib}}
124
125.if "${cipher:M*-DSS-*}" != ""
126TYPE_${cipher} = dsa
127.elif "${cipher:M*-ECDSA-*}" != ""
128TYPE_${cipher} = ec
129.elif "${cipher:M*-GOST89-*}" != ""
130TYPE_${cipher} = gost
131.elif "${cipher:M*-RSA-*}" != ""
132TYPE_${cipher} = rsa
133.else
134TYPE_${cipher} = 127.0.0.1
135.endif
136
137.if "${slib}" == "openssl" && \
138 "${cipher:MADH-*}${cipher:MEDH-*}${cipher:MDHE-*}" != ""
139DHPARAM_${cipher}_${slib} = -p dh.param
140.else
141DHPARAM_${cipher}_${slib} =
142.endif
143
144REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib}
145run-cipher-${cipher}-client-${clib}-server-${slib} \
146client-cipher-${cipher}-client-${clib}-server-${slib}.out \
147server-cipher-${cipher}-client-${clib}-server-${slib}.out: dh.param \
148 127.0.0.1.crt ${TYPE_${cipher}}.crt ../${clib}/client ../${slib}/server
149 @echo '\n======== $@ ========'
150 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
151 ../${slib}/server >${@:S/^run/server/}.out \
152 -c ${TYPE_${cipher}}.crt -k ${TYPE_${cipher}}.key \
153 -l ${cipher}${LEVEL_${slib}} ${DHPARAM_${cipher}_${slib}} \
154 127.0.0.1 0
155 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
156 ../${clib}/client >${@:S/^run/client/}.out \
157 -l ${cipher}${LEVEL_${clib}} \
158 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
159 grep -q '^success$$' ${@:S/^run/server/}.out || \
160 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
161 grep -q '^success$$' ${@:S/^run/client/}.out
162
163REGRESS_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib}
164check-cipher-${cipher}-client-${clib}-server-${slib}: \
165 client-cipher-${cipher}-client-${clib}-server-${slib}.out \
166 server-cipher-${cipher}-client-${clib}-server-${slib}.out
167 @echo '\n======== $@ ========'
168 grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
169 grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out
170
171.endfor
172.endfor
173.endfor
174
175.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c
deleted file mode 100644
index 27ad9a0ade..0000000000
--- a/src/regress/lib/libssl/interop/client.c
+++ /dev/null
@@ -1,232 +0,0 @@
1/* $OpenBSD: client.c,v 1.8 2019/03/21 17:52:26 bluhm Exp $ */
2/*
3 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <stdio.h>
24#include <string.h>
25#include <unistd.h>
26
27#include <openssl/err.h>
28#include <openssl/ssl.h>
29
30#include "util.h"
31
32void __dead usage(void);
33
34void __dead
35usage(void)
36{
37 fprintf(stderr, "usage: client [-Lsv] [-C CA] [-c crt -k key] "
38 "[-l ciphers] host port\n");
39 exit(2);
40}
41
42int
43main(int argc, char *argv[])
44{
45 const SSL_METHOD *method;
46 SSL_CTX *ctx;
47 SSL *ssl;
48 BIO *bio;
49 SSL_SESSION *session = NULL;
50 int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
51 char buf[256];
52 char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
53 char *host_port, *host = "127.0.0.1", *port = "0";
54
55
56 while ((ch = getopt(argc, argv, "C:c:k:Ll:sv")) != -1) {
57 switch (ch) {
58 case 'C':
59 ca = optarg;
60 break;
61 case 'c':
62 crt = optarg;
63 break;
64 case 'k':
65 key = optarg;
66 break;
67 case 'L':
68 listciphers = 1;
69 break;
70 case 'l':
71 ciphers = optarg;
72 break;
73 case 's':
74 /* multiple reueses are possible */
75 sessionreuse++;
76 break;
77 case 'v':
78 verify = 1;
79 break;
80 default:
81 usage();
82 }
83 }
84 argc -= optind;
85 argv += optind;
86 if (argc == 2) {
87 host = argv[0];
88 port = argv[1];
89 } else if (!listciphers) {
90 usage();
91 }
92 if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
93 host, port) == -1)
94 err(1, "asprintf host port");
95 if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL))
96 errx(1, "certificate and private key must be used together");
97
98 SSL_library_init();
99 SSL_load_error_strings();
100 print_version();
101
102 /* setup method and context */
103#if OPENSSL_VERSION_NUMBER >= 0x1010000f
104 method = TLS_client_method();
105 if (method == NULL)
106 err_ssl(1, "TLS_client_method");
107#else
108 method = SSLv23_client_method();
109 if (method == NULL)
110 err_ssl(1, "SSLv23_client_method");
111#endif
112 ctx = SSL_CTX_new(method);
113 if (ctx == NULL)
114 err_ssl(1, "SSL_CTX_new");
115
116 /* load client certificate */
117 if (crt != NULL) {
118 if (SSL_CTX_use_certificate_file(ctx, crt,
119 SSL_FILETYPE_PEM) <= 0)
120 err_ssl(1, "SSL_CTX_use_certificate_file");
121 if (SSL_CTX_use_PrivateKey_file(ctx, key,
122 SSL_FILETYPE_PEM) <= 0)
123 err_ssl(1, "SSL_CTX_use_PrivateKey_file");
124 if (SSL_CTX_check_private_key(ctx) <= 0)
125 err_ssl(1, "SSL_CTX_check_private_key");
126 }
127
128 /* verify server certificate */
129 if (ca != NULL) {
130 if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0)
131 err_ssl(1, "SSL_CTX_load_verify_locations");
132 }
133 SSL_CTX_set_verify(ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
134 verify_callback);
135
136 if (sessionreuse) {
137 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
138 }
139
140 if (ciphers) {
141 if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0)
142 err_ssl(1, "SSL_CTX_set_cipher_list");
143 }
144
145 if (listciphers) {
146 ssl = SSL_new(ctx);
147 if (ssl == NULL)
148 err_ssl(1, "SSL_new");
149 print_ciphers(SSL_get_ciphers(ssl));
150 return 0;
151 }
152
153 do {
154 /* setup bio for socket operations */
155 bio = BIO_new_connect(host_port);
156 if (bio == NULL)
157 err_ssl(1, "BIO_new_connect");
158
159 /* connect */
160 if (BIO_do_connect(bio) <= 0)
161 err_ssl(1, "BIO_do_connect");
162 printf("connect ");
163 print_sockname(bio);
164 printf("connect ");
165 print_peername(bio);
166
167 /* do ssl client handshake */
168 ssl = SSL_new(ctx);
169 if (ssl == NULL)
170 err_ssl(1, "SSL_new");
171 SSL_set_bio(ssl, bio, bio);
172 /* resuse session if possible */
173 if (session != NULL) {
174 if (SSL_set_session(ssl, session) <= 0)
175 err_ssl(1, "SSL_set_session");
176 }
177 if ((error = SSL_connect(ssl)) <= 0)
178 err_ssl(1, "SSL_connect %d", error);
179 printf("session %d: %s\n", sessionreuse,
180 SSL_session_reused(ssl) ? "reuse" : "new");
181 if (fflush(stdout) != 0)
182 err(1, "fflush stdout");
183
184 /* print session statistics */
185 if (sessionreuse) {
186 session = SSL_get1_session(ssl);
187 if (session == NULL)
188 err_ssl(1, "SSL1_get_session");
189 } else {
190 session = SSL_get_session(ssl);
191 if (session == NULL)
192 err_ssl(1, "SSL_get_session");
193 }
194 if (SSL_SESSION_print_fp(stdout, session) <= 0)
195 err_ssl(1, "SSL_SESSION_print_fp");
196
197 /* read server greeting and write client hello over TLS */
198 if ((error = SSL_read(ssl, buf, 9)) <= 0)
199 err_ssl(1, "SSL_read %d", error);
200 if (error != 9)
201 errx(1, "read not 9 bytes greeting: %d", error);
202 buf[9] = '\0';
203 printf("<<< %s", buf);
204 if (fflush(stdout) != 0)
205 err(1, "fflush stdout");
206 strlcpy(buf, "hello\n", sizeof(buf));
207 printf(">>> %s", buf);
208 if (fflush(stdout) != 0)
209 err(1, "fflush stdout");
210 if ((error = SSL_write(ssl, buf, 6)) <= 0)
211 err_ssl(1, "SSL_write %d", error);
212 if (error != 6)
213 errx(1, "write not 6 bytes hello: %d", error);
214
215 /* shutdown connection */
216 if ((error = SSL_shutdown(ssl)) < 0)
217 err_ssl(1, "SSL_shutdown unidirectional %d", error);
218 if (error <= 0) {
219 if ((error = SSL_shutdown(ssl)) <= 0)
220 err_ssl(1, "SSL_shutdown bidirectional %d",
221 error);
222 }
223
224 SSL_free(ssl);
225 } while (sessionreuse--);
226
227 SSL_CTX_free(ctx);
228
229 printf("success\n");
230
231 return 0;
232}
diff --git a/src/regress/lib/libssl/interop/libressl/Makefile b/src/regress/lib/libssl/interop/libressl/Makefile
deleted file mode 100644
index 868c3c146f..0000000000
--- a/src/regress/lib/libssl/interop/libressl/Makefile
+++ /dev/null
@@ -1,37 +0,0 @@
1# $OpenBSD: Makefile,v 1.5 2018/11/11 00:15:04 bluhm Exp $
2
3PROGS = client server
4CPPFLAGS =
5LDFLAGS =
6LDADD = -lssl -lcrypto
7DPADD = ${LIBSSL} ${LIBCRYPTO}
8LD_LIBRARY_PATH =
9REGRESS_TARGETS = run-self-client-server
10.for p in ${PROGS}
11REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
12.endfor
13
14.for p in ${PROGS}
15
16run-ldd-$p: ldd-$p.out
17 @echo '\n======== $@ ========'
18 # check that $p is linked with LibreSSL
19 grep -q /usr/lib/libcrypto.so ldd-$p.out
20 grep -q /usr/lib/libssl.so ldd-$p.out
21 # check that $p is not linked with OpenSSL
22 ! grep /usr/local/lib/ ldd-$p.out
23
24run-version-$p: $p-self.out
25 @echo '\n======== $@ ========'
26 # check that runtime version is LibreSSL
27 grep 'SSLEAY_VERSION: LibreSSL' $p-self.out
28
29run-protocol-$p: $p-self.out
30 @echo '\n======== $@ ========'
31 # check that LibreSSL protocol version is TLS 1.2
32 # XXX adapt when LibreSSL supports TLS 1.3
33 grep 'Protocol *: TLSv1.2' $p-self.out
34
35.endfor
36
37.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/netcat/Makefile b/src/regress/lib/libssl/interop/netcat/Makefile
deleted file mode 100644
index 80f49c52f0..0000000000
--- a/src/regress/lib/libssl/interop/netcat/Makefile
+++ /dev/null
@@ -1,90 +0,0 @@
1# $OpenBSD: Makefile,v 1.2 2018/11/11 07:39:35 bluhm Exp $
2
3LIBRARIES = libressl
4.if exists(/usr/local/bin/eopenssl)
5LIBRARIES += openssl
6.endif
7.if exists(/usr/local/bin/eopenssl11)
8LIBRARIES += openssl11
9.endif
10
11# run netcat server and connect with test client
12
13.for clib in ${LIBRARIES}
14
15REGRESS_TARGETS += run-netcat-client-${clib}-server-nc
16REGRESS_TARGETS += run-protocol-client-${clib}
17
18run-netcat-client-${clib}-server-nc: ../${clib}/client 127.0.0.1.crt
19 @echo '\n======== $@ ========'
20 echo "greeting" | \
21 nc >${@:S/^run/server/}.out \
22 -l -c -C 127.0.0.1.crt -K 127.0.0.1.key \
23 127.0.0.1 0 & \
24 for i in `jot 1000`; do fstat -p $$! >netcat.fstat; \
25 grep -q ' stream tcp .*:[1-9][0-9]*$$' netcat.fstat && \
26 exit 0; done; exit 1
27 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
28 ../${clib}/client >${@:S/^run/client/}.out \
29 `sed -n 's/.* stream tcp .*:/127.0.0.1 /p' netcat.fstat`
30 # check that the client run successfully to the end
31 grep -q '^success$$' ${@:S/^run/client/}.out
32 # client must have read server greeting
33 grep -q '^<<< greeting$$' ${@:S/^run/client/}.out
34 # netstat server must have read client hello
35 grep -q '^hello$$' ${@:S/^run/server/}.out
36
37.endfor
38
39# run test server and connect with netcat client
40
41.for slib in ${LIBRARIES}
42
43REGRESS_TARGETS += run-netcat-client-nc-server-${slib}
44
45run-netcat-client-nc-server-${slib}: ../${slib}/server 127.0.0.1.crt
46 @echo '\n======== $@ ========'
47 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
48 ../${slib}/server >${@:S/^run/server/}.out \
49 127.0.0.1 0
50 echo "hello" | \
51 nc >${@:S/^run/client/}.out \
52 -c -R 127.0.0.1.crt \
53 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
54 # check that the server child run successfully to the end
55 grep -q '^success$$' ${@:S/^run/server/}.out || \
56 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
57 # server must have read client hello
58 grep -q '^<<< hello$$' ${@:S/^run/server/}.out
59 # client must have read server greeting
60 grep -q '^greeting$$' ${@:S/^run/client/}.out
61
62.endfor
63
64# check the TLS protocol version in client and server logs
65
66.for clib in ${LIBRARIES}
67
68REGRESS_TARGETS += run-protocol-client-${clib}
69
70run-protocol-client-${clib}: client-netcat-client-${clib}-server-nc.out
71 @echo '\n======== $@ ========'
72 # check that LibTLS protocol version is TLS 1.2
73 # XXX adapt when LibreSSL supports TLS 1.3
74 grep 'Protocol *: TLSv1.2' client-netcat-client-${clib}-server-nc.out
75
76.endfor
77
78.for slib in ${LIBRARIES}
79
80REGRESS_TARGETS += run-protocol-server-${slib}
81
82run-protocol-server-${slib}: server-netcat-client-nc-server-${slib}.out
83 @echo '\n======== $@ ========'
84 # check that LibTLS protocol version is TLS 1.2
85 # XXX adapt when LibreSSL supports TLS 1.3
86 grep 'Protocol *: TLSv1.2' server-netcat-client-nc-server-${slib}.out
87
88.endfor
89
90.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl/Makefile b/src/regress/lib/libssl/interop/openssl/Makefile
deleted file mode 100644
index adc93e5ad5..0000000000
--- a/src/regress/lib/libssl/interop/openssl/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
1# $OpenBSD: Makefile,v 1.6 2018/11/11 00:15:04 bluhm Exp $
2
3.if ! exists(/usr/local/bin/eopenssl)
4regress:
5 # install openssl-1.0.2 from ports for interop tests
6 @echo SKIPPED
7.endif
8
9PROGS = client server
10CPPFLAGS = -I /usr/local/include/eopenssl
11LDFLAGS = -L /usr/local/lib/eopenssl
12LDADD = -lssl -lcrypto
13DPADD = /usr/local/lib/eopenssl/libssl.a \
14 /usr/local/lib/eopenssl/libcrypto.a
15LD_LIBRARY_PATH = /usr/local/lib/eopenssl
16REGRESS_TARGETS = run-self-client-server
17.for p in ${PROGS}
18REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
19.endfor
20
21.for p in ${PROGS}
22
23run-ldd-$p: ldd-$p.out
24 @echo '\n======== $@ ========'
25 # check that $p is linked with OpenSSL
26 grep -q /usr/local/lib/eopenssl/libcrypto.so ldd-$p.out
27 grep -q /usr/local/lib/eopenssl/libssl.so ldd-$p.out
28 # check that $p is not linked with LibreSSL
29 ! grep -v libc.so ldd-$p.out | grep /usr/lib/
30
31run-version-$p: $p-self.out
32 @echo '\n======== $@ ========'
33 # check that runtime version is OpenSSL 1.0.2
34 grep 'SSLEAY_VERSION: OpenSSL 1.0.2' $p-self.out
35
36run-protocol-$p: $p-self.out
37 @echo '\n======== $@ ========'
38 # check that OpenSSL 1.0.2 protocol version is TLS 1.2
39 grep 'Protocol *: TLSv1.2' $p-self.out
40
41.endfor
42
43.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl11/Makefile b/src/regress/lib/libssl/interop/openssl11/Makefile
deleted file mode 100644
index 3ea1ef35da..0000000000
--- a/src/regress/lib/libssl/interop/openssl11/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
1# $OpenBSD: Makefile,v 1.5 2018/11/11 00:15:04 bluhm Exp $
2
3.if ! exists(/usr/local/bin/eopenssl11)
4regress:
5 # install openssl-1.1 from ports for interop tests
6 @echo SKIPPED
7.endif
8
9PROGS = client server
10CPPFLAGS = -I /usr/local/include/eopenssl11
11LDFLAGS = -L /usr/local/lib/eopenssl11
12LDADD = -lssl -lcrypto
13DPADD = /usr/local/lib/eopenssl11/libssl.a \
14 /usr/local/lib/eopenssl11/libcrypto.a
15LD_LIBRARY_PATH = /usr/local/lib/eopenssl11
16REGRESS_TARGETS = run-self-client-server
17.for p in ${PROGS}
18REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
19.endfor
20
21.for p in ${PROGS}
22
23run-ldd-$p: ldd-$p.out
24 @echo '\n======== $@ ========'
25 # check that $p is linked with OpenSSL 1.1
26 grep -q /usr/local/lib/eopenssl11/libcrypto.so ldd-$p.out
27 grep -q /usr/local/lib/eopenssl11/libssl.so ldd-$p.out
28 # check that $p is not linked with LibreSSL
29 ! grep -v libc.so ldd-$p.out | grep /usr/lib/
30
31run-version-$p: $p-self.out
32 @echo '\n======== $@ ========'
33 # check that runtime version is OpenSSL 1.1
34 grep 'SSLEAY_VERSION: OpenSSL 1.1' $p-self.out
35
36run-protocol-$p: $p-self.out
37 @echo '\n======== $@ ========'
38 # check that OpenSSL 1.1 protocol version is TLS 1.3
39 grep 'Protocol *: TLSv1.3' $p-self.out
40
41.endfor
42
43.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c
deleted file mode 100644
index 6723817498..0000000000
--- a/src/regress/lib/libssl/interop/server.c
+++ /dev/null
@@ -1,279 +0,0 @@
1/* $OpenBSD: server.c,v 1.8 2019/03/21 17:52:26 bluhm Exp $ */
2/*
3 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <stdio.h>
24#include <stdlib.h>
25#include <string.h>
26#include <unistd.h>
27
28#include <openssl/err.h>
29#include <openssl/ssl.h>
30
31#include "util.h"
32
33void __dead usage(void);
34
35void __dead
36usage(void)
37{
38 fprintf(stderr, "usage: server [-Lsvv] [-C CA] [-c crt -k key] "
39 "[-l ciphers] [-p dhparam] [host port]\n");
40 exit(2);
41}
42
43int
44main(int argc, char *argv[])
45{
46 const SSL_METHOD *method;
47 SSL_CTX *ctx;
48 SSL *ssl;
49 BIO *abio, *cbio;
50 SSL_SESSION *session;
51 int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
52 char buf[256], *dhparam = NULL;
53 char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
54 char *host_port, *host = "127.0.0.1", *port = "0";
55
56 while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sv")) != -1) {
57 switch (ch) {
58 case 'C':
59 ca = optarg;
60 break;
61 case 'c':
62 crt = optarg;
63 break;
64 case 'k':
65 key = optarg;
66 break;
67 case 'L':
68 listciphers = 1;
69 break;
70 case 'l':
71 ciphers = optarg;
72 break;
73 case 'p':
74 dhparam = optarg;
75 break;
76 case 's':
77 /* multiple reueses are possible */
78 sessionreuse++;
79 break;
80 case 'v':
81 /* use twice to force client cert */
82 verify++;
83 break;
84 default:
85 usage();
86 }
87 }
88 argc -= optind;
89 argv += optind;
90 if (argc == 2) {
91 host = argv[0];
92 port = argv[1];
93 } else if (argc != 0 && !listciphers) {
94 usage();
95 }
96 if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
97 host, port) == -1)
98 err(1, "asprintf host port");
99 if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL))
100 errx(1, "certificate and private key must be used together");
101 if (crt == NULL && asprintf(&crt, "%s.crt", host) == -1)
102 err(1, "asprintf crt");
103 if (key == NULL && asprintf(&key, "%s.key", host) == -1)
104 err(1, "asprintf key");
105
106 SSL_library_init();
107 SSL_load_error_strings();
108 print_version();
109
110 /* setup method and context */
111#if OPENSSL_VERSION_NUMBER >= 0x1010000f
112 method = TLS_server_method();
113 if (method == NULL)
114 err_ssl(1, "TLS_server_method");
115#else
116 method = SSLv23_server_method();
117 if (method == NULL)
118 err_ssl(1, "SSLv23_server_method");
119#endif
120 ctx = SSL_CTX_new(method);
121 if (ctx == NULL)
122 err_ssl(1, "SSL_CTX_new");
123
124#if OPENSSL_VERSION_NUMBER >= 0x10100000
125 /* needed to use DHE cipher with libressl */
126 if (SSL_CTX_set_dh_auto(ctx, 1) <= 0)
127 err_ssl(1, "SSL_CTX_set_dh_auto");
128#endif
129 /* needed to use ADH, EDH, DHE cipher with openssl */
130 if (dhparam != NULL) {
131 DH *dh;
132 FILE *file;
133
134 file = fopen(dhparam, "r");
135 if (file == NULL)
136 err(1, "fopen %s", dhparam);
137 dh = PEM_read_DHparams(file, NULL, NULL, NULL);
138 if (dh == NULL)
139 err_ssl(1, "PEM_read_DHparams");
140 if (SSL_CTX_set_tmp_dh(ctx, dh) <= 0)
141 err_ssl(1, "SSL_CTX_set_tmp_dh");
142 fclose(file);
143 }
144
145 /* needed when linking with OpenSSL 1.0.2p */
146 if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0)
147 err_ssl(1, "SSL_CTX_set_ecdh_auto");
148
149 /* load server certificate */
150 if (SSL_CTX_use_certificate_file(ctx, crt, SSL_FILETYPE_PEM) <= 0)
151 err_ssl(1, "SSL_CTX_use_certificate_file");
152 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) <= 0)
153 err_ssl(1, "SSL_CTX_use_PrivateKey_file");
154 if (SSL_CTX_check_private_key(ctx) <= 0)
155 err_ssl(1, "SSL_CTX_check_private_key");
156
157 /* request client certificate and verify it */
158 if (ca != NULL) {
159 STACK_OF(X509_NAME) *x509stack;
160
161 x509stack = SSL_load_client_CA_file(ca);
162 if (x509stack == NULL)
163 err_ssl(1, "SSL_load_client_CA_file");
164 SSL_CTX_set_client_CA_list(ctx, x509stack);
165 if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0)
166 err_ssl(1, "SSL_CTX_load_verify_locations");
167 }
168 SSL_CTX_set_verify(ctx,
169 verify == 0 ? SSL_VERIFY_NONE :
170 verify == 1 ? SSL_VERIFY_PEER :
171 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
172 verify_callback);
173
174 if (sessionreuse) {
175 uint32_t context;
176
177 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
178 context = arc4random();
179 if (SSL_CTX_set_session_id_context(ctx,
180 (unsigned char *)&context, sizeof(context)) <= 0)
181 err_ssl(1, "SSL_CTX_set_session_id_context");
182 }
183
184 if (ciphers) {
185 if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0)
186 err_ssl(1, "SSL_CTX_set_cipher_list");
187 }
188
189 if (listciphers) {
190 ssl = SSL_new(ctx);
191 if (ssl == NULL)
192 err_ssl(1, "SSL_new");
193 print_ciphers(SSL_get_ciphers(ssl));
194 return 0;
195 }
196
197 /* setup bio for socket operations */
198 abio = BIO_new_accept(host_port);
199 if (abio == NULL)
200 err_ssl(1, "BIO_new_accept");
201
202 /* bind, listen */
203 if (BIO_do_accept(abio) <= 0)
204 err_ssl(1, "BIO_do_accept setup");
205 printf("listen ");
206 print_sockname(abio);
207
208 /* fork to background and set timeout */
209 if (daemon(1, 1) == -1)
210 err(1, "daemon");
211 if ((int)alarm(10) == -1)
212 err(1, "alarm");
213
214 do {
215 /* accept connection */
216 if (BIO_do_accept(abio) <= 0)
217 err_ssl(1, "BIO_do_accept wait");
218 cbio = BIO_pop(abio);
219 printf("accept ");
220 print_sockname(cbio);
221 printf("accept ");
222 print_peername(cbio);
223
224 /* do ssl server handshake */
225 ssl = SSL_new(ctx);
226 if (ssl == NULL)
227 err_ssl(1, "SSL_new");
228 SSL_set_bio(ssl, cbio, cbio);
229 if ((error = SSL_accept(ssl)) <= 0)
230 err_ssl(1, "SSL_accept %d", error);
231 printf("session %d: %s\n", sessionreuse,
232 SSL_session_reused(ssl) ? "reuse" : "new");
233 if (fflush(stdout) != 0)
234 err(1, "fflush stdout");
235
236
237 /* print session statistics */
238 session = SSL_get_session(ssl);
239 if (session == NULL)
240 err_ssl(1, "SSL_get_session");
241 if (SSL_SESSION_print_fp(stdout, session) <= 0)
242 err_ssl(1, "SSL_SESSION_print_fp");
243
244 /* write server greeting and read client hello over TLS */
245 strlcpy(buf, "greeting\n", sizeof(buf));
246 printf(">>> %s", buf);
247 if (fflush(stdout) != 0)
248 err(1, "fflush stdout");
249 if ((error = SSL_write(ssl, buf, 9)) <= 0)
250 err_ssl(1, "SSL_write %d", error);
251 if (error != 9)
252 errx(1, "write not 9 bytes greeting: %d", error);
253 if ((error = SSL_read(ssl, buf, 6)) <= 0)
254 err_ssl(1, "SSL_read %d", error);
255 if (error != 6)
256 errx(1, "read not 6 bytes hello: %d", error);
257 buf[6] = '\0';
258 printf("<<< %s", buf);
259 if (fflush(stdout) != 0)
260 err(1, "fflush stdout");
261
262 /* shutdown connection */
263 if ((error = SSL_shutdown(ssl)) < 0)
264 err_ssl(1, "SSL_shutdown unidirectional %d", error);
265 if (error <= 0) {
266 if ((error = SSL_shutdown(ssl)) <= 0)
267 err_ssl(1, "SSL_shutdown bidirectional %d",
268 error);
269 }
270
271 SSL_free(ssl);
272 } while (sessionreuse--);
273
274 SSL_CTX_free(ctx);
275
276 printf("success\n");
277
278 return 0;
279}
diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile
deleted file mode 100644
index c82440d785..0000000000
--- a/src/regress/lib/libssl/interop/session/Makefile
+++ /dev/null
@@ -1,45 +0,0 @@
1# $OpenBSD: Makefile,v 1.3 2018/11/11 07:39:35 bluhm Exp $
2
3LIBRARIES = libressl
4.if exists(/usr/local/bin/eopenssl)
5LIBRARIES += openssl
6.endif
7.if exists(/usr/local/bin/eopenssl11)
8LIBRARIES += openssl11
9.endif
10
11run-session-client-openssl11-server-openssl11:
12 @echo '\n======== $@ ========'
13 # TLS 1.3 needs some extra setup for session reuse
14 @echo DISABLED
15
16.for clib in ${LIBRARIES}
17.for slib in ${LIBRARIES}
18
19REGRESS_TARGETS += run-session-client-${clib}-server-${slib}
20
21run-session-client-${clib}-server-${slib}: \
22 127.0.0.1.crt ../${clib}/client ../${slib}/server
23 @echo '\n======== $@ ========'
24 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
25 ../${slib}/server >${@:S/^run/server/}.out \
26 -ss \
27 127.0.0.1 0
28 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
29 ../${clib}/client >${@:S/^run/client/}.out \
30 -ss \
31 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
32 grep '^success$$' ${@:S/^run/server/}.out || \
33 { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; }
34 grep '^success$$' ${@:S/^run/client/}.out
35 grep '^session 2: new$$' ${@:S/^run/server/}.out
36 grep '^session 2: new$$' ${@:S/^run/client/}.out
37 grep '^session 1: reuse$$' ${@:S/^run/server/}.out
38 grep '^session 1: reuse$$' ${@:S/^run/client/}.out
39 grep '^session 0: reuse$$' ${@:S/^run/server/}.out
40 grep '^session 0: reuse$$' ${@:S/^run/client/}.out
41
42.endfor
43.endfor
44
45.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/util.c b/src/regress/lib/libssl/interop/util.c
deleted file mode 100644
index 5190e81828..0000000000
--- a/src/regress/lib/libssl/interop/util.c
+++ /dev/null
@@ -1,145 +0,0 @@
1/* $OpenBSD: util.c,v 1.3 2018/11/09 06:30:41 bluhm Exp $ */
2/*
3 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <stdio.h>
24
25#include <openssl/err.h>
26#include <openssl/ssl.h>
27#include <openssl/opensslv.h>
28#include <openssl/crypto.h>
29
30#include "util.h"
31
32void
33print_version(void)
34{
35#ifdef OPENSSL_VERSION_NUMBER
36 printf("OPENSSL_VERSION_NUMBER: %#08lx\n", OPENSSL_VERSION_NUMBER);
37#endif
38#ifdef LIBRESSL_VERSION_NUMBER
39 printf("LIBRESSL_VERSION_NUMBER: %#08lx\n", LIBRESSL_VERSION_NUMBER);
40#endif
41#ifdef LIBRESSL_VERSION_TEXT
42 printf("LIBRESSL_VERSION_TEXT: %s\n", LIBRESSL_VERSION_TEXT);
43#endif
44#if OPENSSL_VERSION_NUMBER >= 0x1010000f
45 printf("OpenSSL_version_num: %#08lx\n", OpenSSL_version_num());
46 printf("OpenSSL_version OPENSSL_VERSION: %s\n",
47 OpenSSL_version(OPENSSL_VERSION));
48 printf("OpenSSL_version OPENSSL_CFLAGS: %s\n",
49 OpenSSL_version(OPENSSL_CFLAGS));
50 printf("OpenSSL_version OPENSSL_BUILT_ON: %s\n",
51 OpenSSL_version(OPENSSL_BUILT_ON));
52 printf("OpenSSL_version OPENSSL_PLATFORM: %s\n",
53 OpenSSL_version(OPENSSL_PLATFORM));
54 printf("OpenSSL_version OPENSSL_DIR: %s\n",
55 OpenSSL_version(OPENSSL_DIR));
56 printf("OpenSSL_version OPENSSL_ENGINES_DIR: %s\n",
57 OpenSSL_version(OPENSSL_ENGINES_DIR));
58#endif
59 printf("SSLeay: %#08lx\n", SSLeay());
60 printf("SSLeay_version SSLEAY_VERSION: %s\n",
61 SSLeay_version(SSLEAY_VERSION));
62 printf("SSLeay_version SSLEAY_CFLAGS: %s\n",
63 SSLeay_version(SSLEAY_CFLAGS));
64 printf("SSLeay_version SSLEAY_BUILT_ON: %s\n",
65 SSLeay_version(SSLEAY_BUILT_ON));
66 printf("SSLeay_version SSLEAY_PLATFORM: %s\n",
67 SSLeay_version(SSLEAY_PLATFORM));
68 printf("SSLeay_version SSLEAY_DIR: %s\n",
69 SSLeay_version(SSLEAY_DIR));
70}
71
72void
73print_ciphers(STACK_OF(SSL_CIPHER) *cstack)
74{
75 const SSL_CIPHER *cipher;
76 int i;
77
78 for (i = 0; (cipher = sk_SSL_CIPHER_value(cstack, i)) != NULL; i++)
79 printf("cipher %s\n", SSL_CIPHER_get_name(cipher));
80 if (fflush(stdout) != 0)
81 err(1, "fflush stdout");
82}
83
84void
85print_sockname(BIO *bio)
86{
87 struct sockaddr_storage ss;
88 socklen_t slen;
89 char host[NI_MAXHOST], port[NI_MAXSERV];
90 int fd;
91
92 if (BIO_get_fd(bio, &fd) <= 0)
93 err_ssl(1, "BIO_get_fd");
94 slen = sizeof(ss);
95 if (getsockname(fd, (struct sockaddr *)&ss, &slen) == -1)
96 err(1, "getsockname");
97 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
98 sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV))
99 errx(1, "getnameinfo");
100 printf("sock: %s %s\n", host, port);
101 if (fflush(stdout) != 0)
102 err(1, "fflush stdout");
103}
104
105void
106print_peername(BIO *bio)
107{
108 struct sockaddr_storage ss;
109 socklen_t slen;
110 char host[NI_MAXHOST], port[NI_MAXSERV];
111 int fd;
112
113 if (BIO_get_fd(bio, &fd) <= 0)
114 err_ssl(1, "BIO_get_fd");
115 slen = sizeof(ss);
116 if (getpeername(fd, (struct sockaddr *)&ss, &slen) == -1)
117 err(1, "getpeername");
118 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
119 sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV))
120 errx(1, "getnameinfo");
121 printf("peer: %s %s\n", host, port);
122 if (fflush(stdout) != 0)
123 err(1, "fflush stdout");
124}
125
126void
127err_ssl(int eval, const char *fmt, ...)
128{
129 va_list ap;
130
131 ERR_print_errors_fp(stderr);
132 va_start(ap, fmt);
133 verrx(eval, fmt, ap);
134 va_end(ap);
135}
136
137int
138verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
139{
140 printf("verify: %s\n", preverify_ok ? "pass" : "fail");
141 if (fflush(stdout) != 0)
142 err(1, "fflush stdout");
143
144 return preverify_ok;
145}
diff --git a/src/regress/lib/libssl/interop/util.h b/src/regress/lib/libssl/interop/util.h
deleted file mode 100644
index 7414a037d7..0000000000
--- a/src/regress/lib/libssl/interop/util.h
+++ /dev/null
@@ -1,23 +0,0 @@
1/* $OpenBSD: util.h,v 1.3 2018/11/09 06:30:41 bluhm Exp $ */
2/*
3 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18void print_version(void);
19void print_ciphers(STACK_OF(SSL_CIPHER) *);
20void print_sockname(BIO *);
21void print_peername(BIO *);
22void err_ssl(int, const char *, ...);
23int verify_callback(int, X509_STORE_CTX *);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-27 17:00:31 +0000