summaryrefslogtreecommitdiff
path: root/src/regress/lib/libssl/interop
diff options
context:
space:
mode:
Diffstat (limited to 'src/regress/lib/libssl/interop')
-rw-r--r--src/regress/lib/libssl/interop/LICENSE15
-rw-r--r--src/regress/lib/libssl/interop/Makefile19
-rw-r--r--src/regress/lib/libssl/interop/Makefile.inc90
-rw-r--r--src/regress/lib/libssl/interop/README22
-rw-r--r--src/regress/lib/libssl/interop/botan/Makefile84
-rw-r--r--src/regress/lib/libssl/interop/botan/client.cpp228
-rw-r--r--src/regress/lib/libssl/interop/cert/Makefile91
-rw-r--r--src/regress/lib/libssl/interop/cipher/Makefile169
-rw-r--r--src/regress/lib/libssl/interop/client.c285
-rw-r--r--src/regress/lib/libssl/interop/libressl/Makefile34
-rw-r--r--src/regress/lib/libssl/interop/netcat/Makefile84
-rw-r--r--src/regress/lib/libssl/interop/openssl/Makefile43
-rw-r--r--src/regress/lib/libssl/interop/openssl11/Makefile43
-rw-r--r--src/regress/lib/libssl/interop/server.c332
-rw-r--r--src/regress/lib/libssl/interop/session/Makefile46
-rw-r--r--src/regress/lib/libssl/interop/util.c145
-rw-r--r--src/regress/lib/libssl/interop/util.h23
-rw-r--r--src/regress/lib/libssl/interop/version/Makefile103
18 files changed, 0 insertions, 1856 deletions
diff --git a/src/regress/lib/libssl/interop/LICENSE b/src/regress/lib/libssl/interop/LICENSE
deleted file mode 100644
index 838e7f45cc..0000000000
--- a/src/regress/lib/libssl/interop/LICENSE
+++ /dev/null
@@ -1,15 +0,0 @@
1/*
2 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
deleted file mode 100644
index 789ff00e7f..0000000000
--- a/src/regress/lib/libssl/interop/Makefile
+++ /dev/null
@@ -1,19 +0,0 @@
1# $OpenBSD: Makefile,v 1.15 2021/08/30 17:34:02 tb Exp $
2
3SUBDIR = libressl openssl openssl11
4
5# the above binaries must have been built before we can continue
6SUBDIR += netcat
7SUBDIR += session
8SUBDIR += botan
9
10# What is below takes a long time.
11# setting REGRESS_SKIP_SLOW to "yes" in mk.conf
12# will skip the tests that do not test libressl
13# but do things like test openssl to openssl11
14SUBDIR += version
15SUBDIR += cipher
16# This takes a really long time.
17SUBDIR += cert
18
19.include <bsd.subdir.mk>
diff --git a/src/regress/lib/libssl/interop/Makefile.inc b/src/regress/lib/libssl/interop/Makefile.inc
deleted file mode 100644
index ed5fe26147..0000000000
--- a/src/regress/lib/libssl/interop/Makefile.inc
+++ /dev/null
@@ -1,90 +0,0 @@
1# $OpenBSD: Makefile.inc,v 1.8 2020/12/17 00:51:11 bluhm Exp $
2
3.PATH: ${.CURDIR}/..
4
5SRCS_client ?= client.c util.c
6SRCS_server ?= server.c util.c
7WARNINGS = yes
8CLEANFILES += *.out *.fstat
9
10.for p in ${PROGS}
11ldd-$p.out: $p
12 # programs must be linked with correct libraries
13 LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ldd $p >$@
14.endfor
15
16client-self.out server-self.out: run-self-client-server
17
18run-self-client-server: client server 127.0.0.1.crt
19 # check that tls client and server work together
20 LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \
21 ./server >server-self.out \
22 127.0.0.1 0
23 LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \
24 ./client >client-self.out \
25 `sed -n 's/listen sock: //p' server-self.out`
26 # check that the client run successfully to the end
27 grep -q '^success$$' client-self.out
28 # client must have read server greeting
29 grep -q '^<<< greeting$$' client-self.out
30 # check that the server child run successfully to the end
31 grep -q '^success$$' server-self.out
32 # server must have read client hello
33 grep -q '^<<< hello$$' server-self.out
34
35# create certificates for TLS
36
37CLEANFILES += 127.0.0.1.{crt,key} \
38 ca.{crt,key,srl} fake-ca.{crt,key} \
39 {client,server}.{req,crt,key} \
40 {dsa,ec,gost,rsa}.{key,req,crt} \
41 dh.param
42
43127.0.0.1.crt:
44 openssl req -batch -new \
45 -subj /L=OpenBSD/O=tls-regress/OU=server/CN=${@:R}/ \
46 -nodes -newkey rsa -keyout ${@:R}.key -x509 -out $@
47
48ca.crt fake-ca.crt:
49 openssl req -batch -new \
50 -subj /L=OpenBSD/O=tls-regress/OU=ca/CN=root/ \
51 -nodes -newkey rsa -keyout ${@:R}.key -x509 -out $@
52
53client.req server.req:
54 openssl req -batch -new \
55 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
56 -nodes -newkey rsa -keyout ${@:R}.key -out $@
57
58client.crt server.crt: ca.crt ${@:R}.req
59 openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \
60 -req -in ${@:R}.req -out $@
61
62dh.param:
63 openssl dhparam -out $@ 1024
64
65dsa.key:
66 openssl dsaparam -genkey -out $@ 2048
67
68ec.key:
69 openssl ecparam -genkey -name secp256r1 -out $@
70
71gost.key:
72 openssl genpkey -algorithm gost2001 \
73 -pkeyopt paramset:A -pkeyopt dgst:md_gost94 -out $@
74
75rsa.key:
76 openssl genrsa -out $@ 2048
77
78dsa.req ec.req rsa.req: ${@:R}.key
79 openssl req -batch -new \
80 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
81 -nodes -key ${@:R}.key -out $@
82
83gost.req: ${@:R}.key
84 openssl req -batch -new -md_gost94 \
85 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
86 -nodes -key ${@:R}.key -out $@
87
88dsa.crt ec.crt gost.crt rsa.crt: ca.crt ${@:R}.req
89 openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \
90 -req -in ${@:R}.req -out $@
diff --git a/src/regress/lib/libssl/interop/README b/src/regress/lib/libssl/interop/README
deleted file mode 100644
index 54910e554d..0000000000
--- a/src/regress/lib/libssl/interop/README
+++ /dev/null
@@ -1,22 +0,0 @@
1Test TLS interoperability between LibreSSL and OpenSSL.
2
3Implement simple SSL client and server in C. Create six binaries
4by linking them with LibreSSL or OpenSSL 1.0.2 or OpenSSL 1.1. This
5way API compatibility is tested.
6
7To self test each SSL library, connect client with server. Check
8that the highest available TLS version is selected. LibreSSL TLS
91.3 check has to be enabled when the feature becomes available.
10
11Currently OpenSSL 1.0.2p and OpenSSL 1.1.1 from ports are used. As
12soon as LibreSSL supports TLS 1.3, it should be used automatically
13when netcat is communicating with OpenSSL 1.1.
14
15Connect and accept with netcat to test protocol compatibility with
16libtls. Test TLS session reuse multiple times with different library
17combinations. The cert subdir is testing all combinations of
18certificate validation. Having the three libraries, client and
19server certificates, missing or invalid CA or certificates, and
20enforcing peer certificate results in 1944 test cases. The cipher
21test establishes connections between implementations for each
22supported cipher.
diff --git a/src/regress/lib/libssl/interop/botan/Makefile b/src/regress/lib/libssl/interop/botan/Makefile
deleted file mode 100644
index ea9517dc6d..0000000000
--- a/src/regress/lib/libssl/interop/botan/Makefile
+++ /dev/null
@@ -1,84 +0,0 @@
1# $OpenBSD: Makefile,v 1.5 2021/12/02 17:10:53 kn Exp $
2
3.include <bsd.own.mk>
4
5.if ! exists(/usr/local/bin/botan)
6regress:
7 # install botan2 from ports for interop tests
8 @echo 'Run "pkg_add botan2" to run tests against Botan 2'
9 @echo SKIPPED
10.elif (${COMPILER_VERSION:L} != "clang" && ! exists(/usr/local/bin/eg++))
11regress:
12 # on gcc-archs install g++ from ports for botan2 interop tests
13 @echo 'Run "pkg_add g++" to run tests against Botan 2 on GCC architectures'
14 @echo SKIPPED
15.else
16
17# C++11
18.if ${COMPILER_VERSION:L} != "clang" && ${CXX} == "c++"
19CXX = /usr/local/bin/eg++
20.endif
21
22LIBRARIES = libressl
23.if exists(/usr/local/bin/eopenssl)
24LIBRARIES += openssl
25.endif
26.if exists(/usr/local/bin/eopenssl11)
27LIBRARIES += openssl11
28.endif
29
30PROGS = client
31SRCS_client = client.cpp
32CXXFLAGS = -I/usr/local/include/botan-2 -Wall
33LDFLAGS = -L/usr/local/lib
34LDADD = -lbotan-2
35DPADD = /usr/local/lib/libbotan-2.a
36
37.for lib in ${LIBRARIES}
38
39REGRESS_TARGETS += run-client-botan-server-${lib}
40
41run-client-botan-server-${lib}: client server.crt
42 LD_LIBRARY_PATH=/usr/local/lib/e${lib} \
43 ../${lib}/server >server-${lib}.out \
44 -c server.crt -k server.key \
45 127.0.0.1 0
46 ./client >client-botan.out \
47 -C ca.crt \
48 127.0.0.1 \
49 `sed -n 's/listen sock: 127.0.0.1 //p' server-${lib}.out`
50 # check that the server child run successfully to the end
51 grep -q '^success$$' server-${lib}.out || \
52 { sleep 1; grep -q '^success$$' server-${lib}.out; }
53 # server must have read client hello
54 grep -q '^<<< hello$$' server-${lib}.out
55 # check that the client run successfully to the end
56 grep -q '^success$$' client-botan.out
57 # client must have read server greeting
58 grep -q '^<<< greeting$$' client-botan.out
59 # currently botan supports TLS 1.2, adapt later
60 grep -q ' Protocol *: TLSv1.2$$' server-${lib}.out
61
62.endfor
63
64server.key ca.key:
65 /usr/local/bin/botan keygen >$@.tmp
66 mv $@.tmp $@
67
68ca.crt: ${@:R}.key
69 /usr/local/bin/botan gen_self_signed ${@:R}.key ${@:R} >$@.tmp \
70 --organization=tls-regress --ca
71 mv $@.tmp $@
72
73server.req: ${@:R}.key
74 /usr/local/bin/botan gen_pkcs10 ${@:R}.key localhost >$@.tmp \
75 --organization=tls-regress --dns=127.0.0.1
76 mv $@.tmp $@
77
78server.crt: ca.crt ${@:R}.req
79 /usr/local/bin/botan sign_cert ca.crt ca.key ${@:R}.req >$@.tmp
80 mv $@.tmp $@
81
82.endif # exists(/usr/local/bin/botan)
83
84.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/botan/client.cpp b/src/regress/lib/libssl/interop/botan/client.cpp
deleted file mode 100644
index 2352d7bba2..0000000000
--- a/src/regress/lib/libssl/interop/botan/client.cpp
+++ /dev/null
@@ -1,228 +0,0 @@
1/* $OpenBSD: client.cpp,v 1.1 2020/09/15 01:45:16 bluhm Exp $ */
2/*
3 * Copyright (c) 2019-2020 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <unistd.h>
24
25#include <botan/tls_client.h>
26#include <botan/tls_callbacks.h>
27#include <botan/tls_session_manager.h>
28#include <botan/tls_policy.h>
29#include <botan/auto_rng.h>
30#include <botan/certstor.h>
31
32#include <iostream>
33#include <string>
34using namespace std;
35
36class Callbacks : public Botan::TLS::Callbacks {
37public:
38 Callbacks(int socket) :
39 m_socket(socket)
40 {}
41
42 void print_sockname()
43 {
44 struct sockaddr_storage ss;
45 char host[NI_MAXHOST], port[NI_MAXSERV];
46 socklen_t slen;
47
48 slen = sizeof(ss);
49 if (getsockname(m_socket, (struct sockaddr *)&ss, &slen) == -1)
50 err(1, "getsockname");
51 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
52 sizeof(host), port, sizeof(port),
53 NI_NUMERICHOST | NI_NUMERICSERV))
54 errx(1, "getnameinfo");
55 cout <<"sock: " <<host <<" " <<port <<endl <<flush;
56 }
57
58 void print_peername()
59 {
60 struct sockaddr_storage ss;
61 char host[NI_MAXHOST], port[NI_MAXSERV];
62 socklen_t slen;
63
64 slen = sizeof(ss);
65 if (getpeername(m_socket, (struct sockaddr *)&ss, &slen) == -1)
66 err(1, "getpeername");
67 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
68 sizeof(host), port, sizeof(port),
69 NI_NUMERICHOST | NI_NUMERICSERV))
70 errx(1, "getnameinfo");
71 cout <<"peer: " <<host <<" " <<port <<endl <<flush;
72 }
73
74 void tls_emit_data(const uint8_t data[], size_t size) override
75 {
76 size_t off = 0, len = size;
77
78 while (len > 0) {
79 ssize_t n;
80
81 n = send(m_socket, data + off, len, 0);
82 if (n < 0)
83 err(1, "send");
84 off += n;
85 len -= n;
86 }
87 }
88
89 void tls_record_received(uint64_t seq_no, const uint8_t data[],
90 size_t size) override
91 {
92 cout <<"<<< " <<string((const char *)data, size) <<flush;
93
94 string str("hello\n");
95 cout <<">>> " <<str <<flush;
96 m_channel->send(str);
97 m_channel->close();
98 }
99
100 void tls_alert(Botan::TLS::Alert alert) override
101 {
102 errx(1, "alert: %s", alert.type_string().c_str());
103 }
104
105 bool tls_session_established(const Botan::TLS::Session& session)
106 override
107 {
108 cout <<"established" <<endl <<flush;
109 return false;
110 }
111
112 void set_channel(Botan::TLS::Channel &channel) {
113 m_channel = &channel;
114 }
115
116protected:
117 int m_socket = -1;
118 Botan::TLS::Channel *m_channel = nullptr;
119};
120
121class Credentials : public Botan::Credentials_Manager {
122public:
123 std::vector<Botan::Certificate_Store*> trusted_certificate_authorities(
124 const std::string &type, const std::string &context)
125 override
126 {
127 std::vector<Botan::Certificate_Store*> cs { &m_ca };
128 return cs;
129 }
130
131 void add_certificate_file(const std::string &file) {
132 Botan::X509_Certificate cert(file);
133 m_ca.add_certificate(cert);
134 }
135private:
136 Botan::Certificate_Store_In_Memory m_ca;
137};
138
139class Policy : public Botan::TLS::Strict_Policy {
140public:
141 bool require_cert_revocation_info() const override {
142 return false;
143 }
144};
145
146void __dead
147usage(void)
148{
149 fprintf(stderr, "usage: client [-C CA] host port\n");
150 exit(2);
151}
152
153int
154main(int argc, char *argv[])
155{
156 struct addrinfo hints, *res;
157 int ch, s, error;
158 char buf[256];
159 char *cafile = NULL;
160 char *host, *port;
161
162 while ((ch = getopt(argc, argv, "C:")) != -1) {
163 switch (ch) {
164 case 'C':
165 cafile = optarg;
166 break;
167 default:
168 usage();
169 }
170 }
171 argc -= optind;
172 argv += optind;
173 if (argc == 2) {
174 host = argv[0];
175 port = argv[1];
176 } else {
177 usage();
178 }
179
180 memset(&hints, 0, sizeof(hints));
181 hints.ai_family = AF_INET;
182 hints.ai_socktype = SOCK_STREAM;
183 error = getaddrinfo(host, port, &hints, &res);
184 if (error)
185 errx(1, "getaddrinfo: %s", gai_strerror(error));
186 if (res == NULL)
187 errx(1, "getaddrinfo empty");
188 s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
189 if (s == -1)
190 err(1, "socket");
191 if (connect(s, res->ai_addr, res->ai_addrlen) == -1)
192 err(1, "connect");
193 freeaddrinfo(res);
194
195 {
196 Callbacks callbacks(s);
197 Botan::AutoSeeded_RNG rng;
198 Botan::TLS::Session_Manager_In_Memory session_mgr(rng);
199 Credentials creds;
200 if (cafile != NULL)
201 creds.add_certificate_file(cafile);
202 Policy policy;
203
204 callbacks.print_sockname();
205 callbacks.print_peername();
206 Botan::TLS::Client client(callbacks, session_mgr, creds,
207 policy, rng);
208 callbacks.set_channel(client);
209
210 while (!client.is_closed()) {
211 ssize_t n;
212
213 n = recv(s, buf, sizeof(buf), 0);
214 if (n < 0)
215 err(1, "recv");
216 if (n == 0)
217 errx(1, "eof");
218 client.received_data((uint8_t *)&buf, n);
219 }
220 }
221
222 if (close(s) == -1)
223 err(1, "close");
224
225 cout <<"success" <<endl;
226
227 return 0;
228}
diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile
deleted file mode 100644
index 6698975d7e..0000000000
--- a/src/regress/lib/libssl/interop/cert/Makefile
+++ /dev/null
@@ -1,91 +0,0 @@
1# $OpenBSD: Makefile,v 1.7 2021/09/03 11:58:24 bluhm Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1. Create client and server certificates
5# that are signed by a CA and not signed by a fake CA. Try all
6# combinations with, without, and with wrong CA for client and server
7# and check the result of certificate verification.
8
9LIBRARIES = libressl
10.if exists(/usr/local/bin/eopenssl)
11LIBRARIES += openssl
12.endif
13.if exists(/usr/local/bin/eopenssl11)
14LIBRARIES += openssl11
15.endif
16
17.for cca in noca ca fakeca
18.for sca in noca ca fakeca
19.for ccert in nocert cert
20.for scert in nocert cert
21.for cv in noverify verify
22.for sv in noverify verify certverify
23
24# remember when certificate verification should fail
25.if (("${cv}" == verify && "${cca}" == ca && "${scert}" == cert) || \
26 "${cv}" == noverify) && \
27 (("${sv}" == verify && "${ccert}" == nocert) || \
28 ("${sv}" == verify && "${sca}" == ca && "${ccert}" == cert) || \
29 ("${sv}" == certverify && "${sca}" == ca && "${ccert}" == cert) || \
30 "${sv}" == noverify)
31FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv} =
32.else
33FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv} = !
34.endif
35
36.for clib in ${LIBRARIES}
37.for slib in ${LIBRARIES}
38
39.if ("${clib}" == "libressl" || "${slib}" == "libressl")
40REGRESS_TARGETS += run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}
41.else
42REGRESS_SLOW_TARGETS += run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}
43.endif
44
45run-cert-client-${clib}-${cca}-${ccert}-${cv}-server-${slib}-${sca}-${scert}-${sv}: \
46 127.0.0.1.crt ca.crt fake-ca.crt client.crt server.crt \
47 ../${clib}/client ../${slib}/server
48 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
49 ../${slib}/server >${@:S/^run/server/}.out \
50 ${sca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \
51 ${scert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \
52 ${sv:S/^noverify//:S/^verify/-v/:S/^certverify/-vv/} \
53 127.0.0.1 0
54 ${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}} \
55 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
56 ../${clib}/client >${@:S/^run/client/}.out \
57 ${cca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \
58 ${ccert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \
59 ${cv:S/^noverify//:S/^verify/-v/} \
60 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
61.if empty(${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}})
62 grep '^success$$' ${@:S/^run/server/}.out || \
63 { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; }
64 grep '^success$$' ${@:S/^run/client/}.out
65.elif ! ("${sv}" == certverify && "${ccert}" == nocert) || \
66 ("${cv}" == verify && "${scert}" != cert)
67 grep '^verify: fail' ${@:S/^run/client/}.out ${@:S/^run/server/}.out
68.endif
69
70.endfor
71.endfor
72.endfor
73.endfor
74.endfor
75.endfor
76.endfor
77.endfor
78
79REGRESS_TARGETS += run-bob
80run-bob:
81 @echo Bob, be happy! Tests finished.
82
83# argument list too long for a single rm *
84
85clean: _SUBDIRUSE
86 rm -f client-*.out
87 rm -f server-*.out
88 rm -f a.out [Ee]rrs mklog *.core y.tab.h \
89 ${PROG} ${PROGS} ${OBJS} ${_LEXINTM} ${_YACCINTM} ${CLEANFILES}
90
91.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
deleted file mode 100644
index bfe8cfea7a..0000000000
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ /dev/null
@@ -1,169 +0,0 @@
1# $OpenBSD: Makefile,v 1.9 2022/02/05 18:34:06 tb Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers
5# and pin client and server to one of the ciphers. Use server
6# certificate with compatible type. Check that client and server
7# have used correct cipher by grepping in their session print out.
8
9run-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl \
10run-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl \
11client-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl.out \
12client-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl.out \
13server-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl.out \
14server-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl.out \
15check-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl \
16check-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl:
17 # gost does not work with libressl TLS 1.3 right now
18 @echo DISABLED
19
20LIBRARIES = libressl
21.if exists(/usr/local/bin/eopenssl)
22LIBRARIES += openssl
23.endif
24.if exists(/usr/local/bin/eopenssl11)
25LIBRARIES += openssl11
26.endif
27
28CLEANFILES = *.tmp *.ciphers ciphers.mk
29
30.for clib in ${LIBRARIES}
31client-${clib}.ciphers:
32 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
33 ../${clib}/client -l ALL -L >$@.tmp
34 sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
35 rm $@.tmp
36.endfor
37.for slib in ${LIBRARIES}
38server-${slib}.ciphers: 127.0.0.1.crt dsa.crt ec.crt rsa.crt
39 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
40 ../${slib}/server -l ALL -L >$@.tmp
41 sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
42 rm $@.tmp
43.endfor
44
45.for clib in ${LIBRARIES}
46.for slib in ${LIBRARIES}
47ciphers.mk: client-${clib}-server-${slib}.ciphers
48client-${clib}-server-${slib}.ciphers: \
49 client-${clib}.ciphers server-${slib}.ciphers client-libressl.ciphers
50 # get ciphers shared between client and server
51 sort client-${clib}.ciphers server-${slib}.ciphers >$@.tmp
52 uniq -d <$@.tmp >$@
53 # we are only interested in ciphers supported by libressl
54 sort $@ client-libressl.ciphers >$@.tmp
55. if "${clib}" == "openssl11" || "${slib}" == "openssl11"
56 # OpenSSL 1.1's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
57 sed -i '/^TLS_/d' $@.tmp
58. endif
59 uniq -d <$@.tmp >$@
60 rm $@.tmp
61.endfor
62.endfor
63
64ciphers.mk:
65 rm -f $@ $@.tmp
66.for clib in ${LIBRARIES}
67.for slib in ${LIBRARIES}
68 echo 'CIPHERS_${clib}_${slib} =' >>$@.tmp \
69 `cat client-${clib}-server-${slib}.ciphers`
70.endfor
71.endfor
72 mv $@.tmp $@
73
74# hack to convert generated lists into usable make variables
75.if exists(ciphers.mk)
76.include "ciphers.mk"
77.else
78regress: ciphers.mk
79 ${MAKE} -C ${.CURDIR} regress
80.endif
81
82LEVEL_libressl =
83LEVEL_openssl =
84LEVEL_openssl11 = ,@SECLEVEL=0
85
86.for clib in ${LIBRARIES}
87.for slib in ${LIBRARIES}
88.for cipher in ${CIPHERS_${clib}_${slib}}
89
90.if "${cipher:M*-DSS-*}" != ""
91TYPE_${cipher} = dsa
92.elif "${cipher:M*-ECDSA-*}" != ""
93TYPE_${cipher} = ec
94.elif "${cipher:M*-GOST89-*}" != ""
95TYPE_${cipher} = gost
96.elif "${cipher:M*-RSA-*}" != ""
97TYPE_${cipher} = rsa
98.else
99TYPE_${cipher} = 127.0.0.1
100.endif
101
102.if "${slib}" == "openssl" && \
103 "${cipher:MADH-*}${cipher:MEDH-*}${cipher:MDHE-*}" != ""
104DHPARAM_${cipher}_${slib} = -p dh.param
105.else
106DHPARAM_${cipher}_${slib} =
107.endif
108
109.if ("${clib}" == "libressl" || "${slib}" == "libressl")
110REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib}
111.else
112REGRESS_SLOW_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib}
113.endif
114run-cipher-${cipher}-client-${clib}-server-${slib} \
115client-cipher-${cipher}-client-${clib}-server-${slib}.out \
116server-cipher-${cipher}-client-${clib}-server-${slib}.out: dh.param \
117 127.0.0.1.crt ${TYPE_${cipher}}.crt ../${clib}/client ../${slib}/server
118 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
119 ../${slib}/server >${@:S/^run/server/}.out \
120 -c ${TYPE_${cipher}}.crt -k ${TYPE_${cipher}}.key \
121 -l ${cipher}${LEVEL_${slib}} ${DHPARAM_${cipher}_${slib}} \
122 127.0.0.1 0
123 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
124 ../${clib}/client >${@:S/^run/client/}.out \
125 -l ${cipher}${LEVEL_${clib}} \
126 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
127 grep -q '^success$$' ${@:S/^run/server/}.out || \
128 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
129 grep -q '^success$$' ${@:S/^run/client/}.out
130
131.if ("${clib}" == "libressl" || "${slib}" == "libressl")
132REGRESS_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib}
133.else
134REGRESS_SLOW_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib}
135.endif
136check-cipher-${cipher}-client-${clib}-server-${slib}: \
137 client-cipher-${cipher}-client-${clib}-server-${slib}.out \
138 server-cipher-${cipher}-client-${clib}-server-${slib}.out
139.if "${clib}" != "openssl" && "${slib}" != "openssl" && \
140 "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3
141 # client and server 1.3 capable, not TLS 1.3 cipher
142. if "${clib}" == "libressl"
143 # libressl client may prefer chacha-poly if aes-ni is not supported
144 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/client/}.out
145. else
146 # openssl 1.1 generic client cipher
147 grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/client/}.out
148. endif
149. if "${clib}" == "libressl"
150 # libressl client may prefer chacha-poly if aes-ni is not supported
151. if "${slib}" == "openssl11"
152 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
153. else
154 egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
155. endif
156. else
157 # generic server cipher
158 grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/server/}.out
159. endif
160.else
161 grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out
162 grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
163.endif
164
165.endfor
166.endfor
167.endfor
168
169.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c
deleted file mode 100644
index 31a960381e..0000000000
--- a/src/regress/lib/libssl/interop/client.c
+++ /dev/null
@@ -1,285 +0,0 @@
1/* $OpenBSD: client.c,v 1.11 2022/07/07 13:12:57 tb Exp $ */
2/*
3 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <stdio.h>
24#include <string.h>
25#include <unistd.h>
26
27#include <openssl/err.h>
28#include <openssl/ssl.h>
29
30#include "util.h"
31
32void __dead usage(void);
33
34void __dead
35usage(void)
36{
37 fprintf(stderr, "usage: client [-Lsv] [-C CA] [-c crt -k key] "
38 "[-l ciphers] [-V version] host port\n");
39 exit(2);
40}
41
42int
43main(int argc, char *argv[])
44{
45 const SSL_METHOD *method;
46 SSL_CTX *ctx;
47 SSL *ssl;
48 BIO *bio;
49 SSL_SESSION *session = NULL;
50 int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
51 int version = 0;
52 char buf[256];
53 char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
54 char *host_port, *host = "127.0.0.1", *port = "0";
55
56 while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) {
57 switch (ch) {
58 case 'C':
59 ca = optarg;
60 break;
61 case 'c':
62 crt = optarg;
63 break;
64 case 'k':
65 key = optarg;
66 break;
67 case 'L':
68 listciphers = 1;
69 break;
70 case 'l':
71 ciphers = optarg;
72 break;
73 case 's':
74 /* multiple reueses are possible */
75 sessionreuse++;
76 break;
77 case 'V':
78 if (strcmp(optarg, "TLS1") == 0) {
79 version = TLS1_VERSION;
80 } else if (strcmp(optarg, "TLS1_1") == 0) {
81 version = TLS1_1_VERSION;
82 } else if (strcmp(optarg, "TLS1_2") == 0) {
83 version = TLS1_2_VERSION;
84#ifdef TLS1_3_VERSION
85 } else if (strcmp(optarg, "TLS1_3") == 0) {
86 version = TLS1_3_VERSION;
87#endif
88 } else {
89 errx(1, "unknown protocol version: %s", optarg);
90 }
91 break;
92 case 'v':
93 verify = 1;
94 break;
95 default:
96 usage();
97 }
98 }
99 argc -= optind;
100 argv += optind;
101 if (argc == 2) {
102 host = argv[0];
103 port = argv[1];
104 } else if (!listciphers) {
105 usage();
106 }
107 if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
108 host, port) == -1)
109 err(1, "asprintf host port");
110 if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL))
111 errx(1, "certificate and private key must be used together");
112
113 SSL_library_init();
114 SSL_load_error_strings();
115 print_version();
116
117 /* setup method and context */
118#if OPENSSL_VERSION_NUMBER >= 0x1010000f
119 method = TLS_client_method();
120 if (method == NULL)
121 err_ssl(1, "TLS_client_method");
122#else
123 switch (version) {
124 case TLS1_VERSION:
125 method = TLSv1_client_method();
126 break;
127 case TLS1_1_VERSION:
128 method = TLSv1_1_client_method();
129 break;
130 case TLS1_2_VERSION:
131 method = TLSv1_2_client_method();
132 break;
133#ifdef TLS1_3_VERSION
134 case TLS1_3_VERSION:
135 err(1, "TLS1_3 not supported");
136#endif
137 default:
138 method = SSLv23_client_method();
139 break;
140 }
141 if (method == NULL)
142 err_ssl(1, "SSLv23_client_method");
143#endif
144 ctx = SSL_CTX_new(method);
145 if (ctx == NULL)
146 err_ssl(1, "SSL_CTX_new");
147
148#if OPENSSL_VERSION_NUMBER >= 0x1010000f
149 if (version) {
150 if (SSL_CTX_set_min_proto_version(ctx, version) != 1)
151 err_ssl(1, "SSL_CTX_set_min_proto_version");
152 if (SSL_CTX_set_max_proto_version(ctx, version) != 1)
153 err_ssl(1, "SSL_CTX_set_max_proto_version");
154 }
155#endif
156
157 /* load client certificate */
158 if (crt != NULL) {
159 if (SSL_CTX_use_certificate_file(ctx, crt,
160 SSL_FILETYPE_PEM) <= 0)
161 err_ssl(1, "SSL_CTX_use_certificate_file");
162 if (SSL_CTX_use_PrivateKey_file(ctx, key,
163 SSL_FILETYPE_PEM) <= 0)
164 err_ssl(1, "SSL_CTX_use_PrivateKey_file");
165 if (SSL_CTX_check_private_key(ctx) <= 0)
166 err_ssl(1, "SSL_CTX_check_private_key");
167 }
168
169 /* verify server certificate */
170 if (ca != NULL) {
171 if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0)
172 err_ssl(1, "SSL_CTX_load_verify_locations");
173 }
174 SSL_CTX_set_verify(ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
175 verify_callback);
176
177 if (sessionreuse) {
178 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
179 }
180
181 if (ciphers) {
182 if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0)
183 err_ssl(1, "SSL_CTX_set_cipher_list");
184 }
185
186 if (listciphers) {
187 STACK_OF(SSL_CIPHER) *supported_ciphers;
188
189#if OPENSSL_VERSION_NUMBER < 0x1010000f
190#define SSL_get1_supported_ciphers SSL_get_ciphers
191#endif
192 ssl = SSL_new(ctx);
193 if (ssl == NULL)
194 err_ssl(1, "SSL_new");
195 supported_ciphers = SSL_get1_supported_ciphers(ssl);
196 if (supported_ciphers == NULL)
197 err_ssl(1, "SSL_get1_supported_ciphers");
198 print_ciphers(supported_ciphers);
199
200#if OPENSSL_VERSION_NUMBER >= 0x1010000f
201 sk_SSL_CIPHER_free(supported_ciphers);
202#endif
203 return 0;
204 }
205
206 do {
207 /* setup bio for socket operations */
208 bio = BIO_new_connect(host_port);
209 if (bio == NULL)
210 err_ssl(1, "BIO_new_connect");
211
212 /* connect */
213 if (BIO_do_connect(bio) <= 0)
214 err_ssl(1, "BIO_do_connect");
215 printf("connect ");
216 print_sockname(bio);
217 printf("connect ");
218 print_peername(bio);
219
220 /* do ssl client handshake */
221 ssl = SSL_new(ctx);
222 if (ssl == NULL)
223 err_ssl(1, "SSL_new");
224 SSL_set_bio(ssl, bio, bio);
225 /* resuse session if possible */
226 if (session != NULL) {
227 if (SSL_set_session(ssl, session) <= 0)
228 err_ssl(1, "SSL_set_session");
229 }
230 if ((error = SSL_connect(ssl)) <= 0)
231 err_ssl(1, "SSL_connect %d", error);
232 printf("session %d: %s\n", sessionreuse,
233 SSL_session_reused(ssl) ? "reuse" : "new");
234 if (fflush(stdout) != 0)
235 err(1, "fflush stdout");
236
237 /* print session statistics */
238 if (sessionreuse) {
239 session = SSL_get1_session(ssl);
240 if (session == NULL)
241 err_ssl(1, "SSL1_get_session");
242 } else {
243 session = SSL_get_session(ssl);
244 if (session == NULL)
245 err_ssl(1, "SSL_get_session");
246 }
247 if (SSL_SESSION_print_fp(stdout, session) <= 0)
248 err_ssl(1, "SSL_SESSION_print_fp");
249
250 /* read server greeting and write client hello over TLS */
251 if ((error = SSL_read(ssl, buf, 9)) <= 0)
252 err_ssl(1, "SSL_read %d", error);
253 if (error != 9)
254 errx(1, "read not 9 bytes greeting: %d", error);
255 buf[9] = '\0';
256 printf("<<< %s", buf);
257 if (fflush(stdout) != 0)
258 err(1, "fflush stdout");
259 strlcpy(buf, "hello\n", sizeof(buf));
260 printf(">>> %s", buf);
261 if (fflush(stdout) != 0)
262 err(1, "fflush stdout");
263 if ((error = SSL_write(ssl, buf, 6)) <= 0)
264 err_ssl(1, "SSL_write %d", error);
265 if (error != 6)
266 errx(1, "write not 6 bytes hello: %d", error);
267
268 /* shutdown connection */
269 if ((error = SSL_shutdown(ssl)) < 0)
270 err_ssl(1, "SSL_shutdown unidirectional %d", error);
271 if (error <= 0) {
272 if ((error = SSL_shutdown(ssl)) <= 0)
273 err_ssl(1, "SSL_shutdown bidirectional %d",
274 error);
275 }
276
277 SSL_free(ssl);
278 } while (sessionreuse--);
279
280 SSL_CTX_free(ctx);
281
282 printf("success\n");
283
284 return 0;
285}
diff --git a/src/regress/lib/libssl/interop/libressl/Makefile b/src/regress/lib/libssl/interop/libressl/Makefile
deleted file mode 100644
index d8e20ca122..0000000000
--- a/src/regress/lib/libssl/interop/libressl/Makefile
+++ /dev/null
@@ -1,34 +0,0 @@
1# $OpenBSD: Makefile,v 1.9 2020/12/25 10:50:08 tb Exp $
2
3PROGS = client server
4CFLAGS += -DLIBRESSL_HAS_TLS1_3
5CPPFLAGS +=
6LDFLAGS +=
7LDADD += -lssl -lcrypto
8DPADD += ${LIBSSL} ${LIBCRYPTO}
9LD_LIBRARY_PATH =
10REGRESS_TARGETS = run-self-client-server
11.for p in ${PROGS}
12REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
13.endfor
14
15.for p in ${PROGS}
16
17run-ldd-$p: ldd-$p.out
18 # check that $p is linked with LibreSSL
19 grep -q /usr/lib/libcrypto.so ldd-$p.out
20 grep -q /usr/lib/libssl.so ldd-$p.out
21 # check that $p is not linked with OpenSSL
22 ! grep /usr/local/lib/ ldd-$p.out
23
24run-version-$p: $p-self.out
25 # check that runtime version is LibreSSL
26 grep 'SSLEAY_VERSION: LibreSSL' $p-self.out
27
28run-protocol-$p: $p-self.out
29 # check that LibreSSL protocol version is TLS 1.3
30 grep 'Protocol *: TLSv1.3' $p-self.out
31
32.endfor
33
34.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/netcat/Makefile b/src/regress/lib/libssl/interop/netcat/Makefile
deleted file mode 100644
index f337d4aae8..0000000000
--- a/src/regress/lib/libssl/interop/netcat/Makefile
+++ /dev/null
@@ -1,84 +0,0 @@
1# $OpenBSD: Makefile,v 1.5 2020/12/17 00:51:11 bluhm Exp $
2
3LIBRARIES = libressl
4.if exists(/usr/local/bin/eopenssl)
5LIBRARIES += openssl
6.endif
7.if exists(/usr/local/bin/eopenssl11)
8LIBRARIES += openssl11
9.endif
10
11# run netcat server and connect with test client
12
13.for clib in ${LIBRARIES}
14
15REGRESS_TARGETS += run-netcat-client-${clib}-server-nc
16REGRESS_TARGETS += run-protocol-client-${clib}
17
18run-netcat-client-${clib}-server-nc: ../${clib}/client 127.0.0.1.crt
19 echo "greeting" | \
20 nc >${@:S/^run/server/}.out \
21 -l -c -C 127.0.0.1.crt -K 127.0.0.1.key \
22 127.0.0.1 0 & \
23 for i in `jot 1000`; do fstat -p $$! >netcat.fstat; \
24 grep -q ' stream tcp .*:[1-9][0-9]*$$' netcat.fstat && \
25 exit 0; done; exit 1
26 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
27 ../${clib}/client >${@:S/^run/client/}.out \
28 `sed -n 's/.* stream tcp .*:/127.0.0.1 /p' netcat.fstat`
29 # check that the client run successfully to the end
30 grep -q '^success$$' ${@:S/^run/client/}.out
31 # client must have read server greeting
32 grep -q '^<<< greeting$$' ${@:S/^run/client/}.out
33 # netstat server must have read client hello
34 grep -q '^hello$$' ${@:S/^run/server/}.out
35
36.endfor
37
38# run test server and connect with netcat client
39
40.for slib in ${LIBRARIES}
41
42REGRESS_TARGETS += run-netcat-client-nc-server-${slib}
43
44run-netcat-client-nc-server-${slib}: ../${slib}/server 127.0.0.1.crt
45 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
46 ../${slib}/server >${@:S/^run/server/}.out \
47 127.0.0.1 0
48 echo "hello" | \
49 nc >${@:S/^run/client/}.out \
50 -c -R 127.0.0.1.crt \
51 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
52 # check that the server child run successfully to the end
53 grep -q '^success$$' ${@:S/^run/server/}.out || \
54 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
55 # server must have read client hello
56 grep -q '^<<< hello$$' ${@:S/^run/server/}.out
57 # client must have read server greeting
58 grep -q '^greeting$$' ${@:S/^run/client/}.out
59
60.endfor
61
62# check the TLS protocol version in client and server logs
63
64.for clib in ${LIBRARIES}
65
66REGRESS_TARGETS += run-protocol-client-${clib}
67
68run-protocol-client-${clib}: client-netcat-client-${clib}-server-nc.out
69 # check that LibTLS protocol version is TLS 1.2 or TLS 1.3
70 grep 'Protocol *: TLSv1.[23]' client-netcat-client-${clib}-server-nc.out
71
72.endfor
73
74.for slib in ${LIBRARIES}
75
76REGRESS_TARGETS += run-protocol-server-${slib}
77
78run-protocol-server-${slib}: server-netcat-client-nc-server-${slib}.out
79 # check that LibTLS protocol version is TLS 1.2 or TLS 1.3
80 grep 'Protocol *: TLSv1.[23]' server-netcat-client-nc-server-${slib}.out
81
82.endfor
83
84.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl/Makefile b/src/regress/lib/libssl/interop/openssl/Makefile
deleted file mode 100644
index 53c51a83ee..0000000000
--- a/src/regress/lib/libssl/interop/openssl/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
1# $OpenBSD: Makefile,v 1.9 2021/12/02 17:10:53 kn Exp $
2
3.if ! exists(/usr/local/bin/eopenssl)
4regress:
5 # install openssl-1.0.2 from ports for interop tests
6 @echo 'Run "pkg_add openssl--%1.0.2" to run tests against OpenSSL 1.0.2'
7 @echo SKIPPED
8.else
9
10PROGS = client server
11CPPFLAGS = -I /usr/local/include/eopenssl
12LDFLAGS = -L /usr/local/lib/eopenssl
13LDADD = -lssl -lcrypto
14DPADD = /usr/local/lib/eopenssl/libssl.a \
15 /usr/local/lib/eopenssl/libcrypto.a
16LD_LIBRARY_PATH = /usr/local/lib/eopenssl
17REGRESS_TARGETS = run-self-client-server
18.for p in ${PROGS}
19REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
20.endfor
21
22.for p in ${PROGS}
23
24run-ldd-$p: ldd-$p.out
25 # check that $p is linked with OpenSSL
26 grep -q /usr/local/lib/eopenssl/libcrypto.so ldd-$p.out
27 grep -q /usr/local/lib/eopenssl/libssl.so ldd-$p.out
28 # check that $p is not linked with LibreSSL
29 ! grep -v libc.so ldd-$p.out | grep /usr/lib/
30
31run-version-$p: $p-self.out
32 # check that runtime version is OpenSSL 1.0.2
33 grep 'SSLEAY_VERSION: OpenSSL 1.0.2' $p-self.out
34
35run-protocol-$p: $p-self.out
36 # check that OpenSSL 1.0.2 protocol version is TLS 1.2
37 grep 'Protocol *: TLSv1.2' $p-self.out
38
39.endfor
40
41.endif # exists(/usr/local/bin/eopenssl)
42
43.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl11/Makefile b/src/regress/lib/libssl/interop/openssl11/Makefile
deleted file mode 100644
index 27e7354925..0000000000
--- a/src/regress/lib/libssl/interop/openssl11/Makefile
+++ /dev/null
@@ -1,43 +0,0 @@
1# $OpenBSD: Makefile,v 1.8 2021/12/02 17:10:53 kn Exp $
2
3.if ! exists(/usr/local/bin/eopenssl11)
4regress:
5 # install openssl-1.1 from ports for interop tests
6 @echo 'Run "pkg_add openssl--%1.1" to run tests against OpenSSL 1.1'
7 @echo SKIPPED
8.else
9
10PROGS = client server
11CPPFLAGS = -I /usr/local/include/eopenssl11
12LDFLAGS = -L /usr/local/lib/eopenssl11
13LDADD = -lssl -lcrypto
14DPADD = /usr/local/lib/eopenssl11/libssl.a \
15 /usr/local/lib/eopenssl11/libcrypto.a
16LD_LIBRARY_PATH = /usr/local/lib/eopenssl11
17REGRESS_TARGETS = run-self-client-server
18.for p in ${PROGS}
19REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
20.endfor
21
22.for p in ${PROGS}
23
24run-ldd-$p: ldd-$p.out
25 # check that $p is linked with OpenSSL 1.1
26 grep -q /usr/local/lib/eopenssl11/libcrypto.so ldd-$p.out
27 grep -q /usr/local/lib/eopenssl11/libssl.so ldd-$p.out
28 # check that $p is not linked with LibreSSL
29 ! grep -v libc.so ldd-$p.out | grep /usr/lib/
30
31run-version-$p: $p-self.out
32 # check that runtime version is OpenSSL 1.1
33 grep 'SSLEAY_VERSION: OpenSSL 1.1' $p-self.out
34
35run-protocol-$p: $p-self.out
36 # check that OpenSSL 1.1 protocol version is TLS 1.3
37 grep 'Protocol *: TLSv1.3' $p-self.out
38
39.endfor
40
41.endif # exists(/usr/local/bin/eopenssl11)
42
43.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c
deleted file mode 100644
index c8e4cb7fc3..0000000000
--- a/src/regress/lib/libssl/interop/server.c
+++ /dev/null
@@ -1,332 +0,0 @@
1/* $OpenBSD: server.c,v 1.11 2022/07/07 13:12:57 tb Exp $ */
2/*
3 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <stdio.h>
24#include <stdlib.h>
25#include <string.h>
26#include <unistd.h>
27
28#include <openssl/err.h>
29#include <openssl/ssl.h>
30
31#include "util.h"
32
33void __dead usage(void);
34
35void __dead
36usage(void)
37{
38 fprintf(stderr, "usage: server [-Lsvv] [-C CA] [-c crt -k key] "
39 "[-l ciphers] [-p dhparam] [-V version] [host port]\n");
40 exit(2);
41}
42
43int
44main(int argc, char *argv[])
45{
46 const SSL_METHOD *method;
47 SSL_CTX *ctx;
48 SSL *ssl;
49 BIO *abio, *cbio;
50 SSL_SESSION *session;
51 int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
52 int version = 0;
53 char buf[256], *dhparam = NULL;
54 char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
55 char *host_port, *host = "127.0.0.1", *port = "0";
56
57 while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) {
58 switch (ch) {
59 case 'C':
60 ca = optarg;
61 break;
62 case 'c':
63 crt = optarg;
64 break;
65 case 'k':
66 key = optarg;
67 break;
68 case 'L':
69 listciphers = 1;
70 break;
71 case 'l':
72 ciphers = optarg;
73 break;
74 case 'p':
75 dhparam = optarg;
76 break;
77 case 's':
78 /* multiple reueses are possible */
79 sessionreuse++;
80 break;
81 case 'V':
82 if (strcmp(optarg, "TLS1") == 0) {
83 version = TLS1_VERSION;
84 } else if (strcmp(optarg, "TLS1_1") == 0) {
85 version = TLS1_1_VERSION;
86 } else if (strcmp(optarg, "TLS1_2") == 0) {
87 version = TLS1_2_VERSION;
88#ifdef TLS1_3_VERSION
89 } else if (strcmp(optarg, "TLS1_3") == 0) {
90 version = TLS1_3_VERSION;
91#endif
92 } else {
93 errx(1, "unknown protocol version: %s", optarg);
94 }
95 break;
96 case 'v':
97 /* use twice to force client cert */
98 verify++;
99 break;
100 default:
101 usage();
102 }
103 }
104 argc -= optind;
105 argv += optind;
106 if (argc == 2) {
107 host = argv[0];
108 port = argv[1];
109 } else if (argc != 0 && !listciphers) {
110 usage();
111 }
112 if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
113 host, port) == -1)
114 err(1, "asprintf host port");
115 if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL))
116 errx(1, "certificate and private key must be used together");
117 if (crt == NULL && asprintf(&crt, "%s.crt", host) == -1)
118 err(1, "asprintf crt");
119 if (key == NULL && asprintf(&key, "%s.key", host) == -1)
120 err(1, "asprintf key");
121
122 SSL_library_init();
123 SSL_load_error_strings();
124 print_version();
125
126 /* setup method and context */
127#if OPENSSL_VERSION_NUMBER >= 0x1010000f
128 method = TLS_server_method();
129 if (method == NULL)
130 err_ssl(1, "TLS_server_method");
131#else
132 switch (version) {
133 case TLS1_VERSION:
134 method = TLSv1_server_method();
135 break;
136 case TLS1_1_VERSION:
137 method = TLSv1_1_server_method();
138 break;
139 case TLS1_2_VERSION:
140 method = TLSv1_2_server_method();
141 break;
142#ifdef TLS1_3_VERSION
143 case TLS1_3_VERSION:
144 err(1, "TLS1_3 not supported");
145#endif
146 default:
147 method = SSLv23_server_method();
148 break;
149 }
150 if (method == NULL)
151 err_ssl(1, "SSLv23_server_method");
152#endif
153 ctx = SSL_CTX_new(method);
154 if (ctx == NULL)
155 err_ssl(1, "SSL_CTX_new");
156
157#if OPENSSL_VERSION_NUMBER >= 0x1010000f
158 if (version) {
159 if (SSL_CTX_set_min_proto_version(ctx, version) != 1)
160 err_ssl(1, "SSL_CTX_set_min_proto_version");
161 if (SSL_CTX_set_max_proto_version(ctx, version) != 1)
162 err_ssl(1, "SSL_CTX_set_max_proto_version");
163 }
164#endif
165
166#if OPENSSL_VERSION_NUMBER >= 0x10100000
167 /* needed to use DHE cipher with libressl */
168 if (SSL_CTX_set_dh_auto(ctx, 1) <= 0)
169 err_ssl(1, "SSL_CTX_set_dh_auto");
170#endif
171 /* needed to use ADH, EDH, DHE cipher with openssl */
172 if (dhparam != NULL) {
173 DH *dh;
174 FILE *file;
175
176 file = fopen(dhparam, "r");
177 if (file == NULL)
178 err(1, "fopen %s", dhparam);
179 dh = PEM_read_DHparams(file, NULL, NULL, NULL);
180 if (dh == NULL)
181 err_ssl(1, "PEM_read_DHparams");
182 if (SSL_CTX_set_tmp_dh(ctx, dh) <= 0)
183 err_ssl(1, "SSL_CTX_set_tmp_dh");
184 fclose(file);
185 }
186
187 /* needed when linking with OpenSSL 1.0.2p */
188 if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0)
189 err_ssl(1, "SSL_CTX_set_ecdh_auto");
190
191 /* load server certificate */
192 if (SSL_CTX_use_certificate_file(ctx, crt, SSL_FILETYPE_PEM) <= 0)
193 err_ssl(1, "SSL_CTX_use_certificate_file");
194 if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) <= 0)
195 err_ssl(1, "SSL_CTX_use_PrivateKey_file");
196 if (SSL_CTX_check_private_key(ctx) <= 0)
197 err_ssl(1, "SSL_CTX_check_private_key");
198
199 /* request client certificate and verify it */
200 if (ca != NULL) {
201 STACK_OF(X509_NAME) *x509stack;
202
203 x509stack = SSL_load_client_CA_file(ca);
204 if (x509stack == NULL)
205 err_ssl(1, "SSL_load_client_CA_file");
206 SSL_CTX_set_client_CA_list(ctx, x509stack);
207 if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0)
208 err_ssl(1, "SSL_CTX_load_verify_locations");
209 }
210 SSL_CTX_set_verify(ctx,
211 verify == 0 ? SSL_VERIFY_NONE :
212 verify == 1 ? SSL_VERIFY_PEER :
213 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
214 verify_callback);
215
216 if (sessionreuse) {
217 uint32_t context;
218
219 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
220 context = arc4random();
221 if (SSL_CTX_set_session_id_context(ctx,
222 (unsigned char *)&context, sizeof(context)) <= 0)
223 err_ssl(1, "SSL_CTX_set_session_id_context");
224 }
225
226 if (ciphers) {
227 if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0)
228 err_ssl(1, "SSL_CTX_set_cipher_list");
229 }
230
231 if (listciphers) {
232 STACK_OF(SSL_CIPHER) *supported_ciphers;
233
234#if OPENSSL_VERSION_NUMBER < 0x1010000f
235#define SSL_get1_supported_ciphers SSL_get_ciphers
236#endif
237 ssl = SSL_new(ctx);
238 if (ssl == NULL)
239 err_ssl(1, "SSL_new");
240 supported_ciphers = SSL_get1_supported_ciphers(ssl);
241 if (supported_ciphers == NULL)
242 err_ssl(1, "SSL_get1_supported_ciphers");
243 print_ciphers(supported_ciphers);
244
245#if OPENSSL_VERSION_NUMBER >= 0x1010000f
246 sk_SSL_CIPHER_free(supported_ciphers);
247#endif
248 return 0;
249 }
250
251 /* setup bio for socket operations */
252 abio = BIO_new_accept(host_port);
253 if (abio == NULL)
254 err_ssl(1, "BIO_new_accept");
255
256 /* bind, listen */
257 if (BIO_do_accept(abio) <= 0)
258 err_ssl(1, "BIO_do_accept setup");
259 printf("listen ");
260 print_sockname(abio);
261
262 /* fork to background and set timeout */
263 if (daemon(1, 1) == -1)
264 err(1, "daemon");
265 alarm(10);
266
267 do {
268 /* accept connection */
269 if (BIO_do_accept(abio) <= 0)
270 err_ssl(1, "BIO_do_accept wait");
271 cbio = BIO_pop(abio);
272 printf("accept ");
273 print_sockname(cbio);
274 printf("accept ");
275 print_peername(cbio);
276
277 /* do ssl server handshake */
278 ssl = SSL_new(ctx);
279 if (ssl == NULL)
280 err_ssl(1, "SSL_new");
281 SSL_set_bio(ssl, cbio, cbio);
282 if ((error = SSL_accept(ssl)) <= 0)
283 err_ssl(1, "SSL_accept %d", error);
284 printf("session %d: %s\n", sessionreuse,
285 SSL_session_reused(ssl) ? "reuse" : "new");
286 if (fflush(stdout) != 0)
287 err(1, "fflush stdout");
288
289
290 /* print session statistics */
291 session = SSL_get_session(ssl);
292 if (session == NULL)
293 err_ssl(1, "SSL_get_session");
294 if (SSL_SESSION_print_fp(stdout, session) <= 0)
295 err_ssl(1, "SSL_SESSION_print_fp");
296
297 /* write server greeting and read client hello over TLS */
298 strlcpy(buf, "greeting\n", sizeof(buf));
299 printf(">>> %s", buf);
300 if (fflush(stdout) != 0)
301 err(1, "fflush stdout");
302 if ((error = SSL_write(ssl, buf, 9)) <= 0)
303 err_ssl(1, "SSL_write %d", error);
304 if (error != 9)
305 errx(1, "write not 9 bytes greeting: %d", error);
306 if ((error = SSL_read(ssl, buf, 6)) <= 0)
307 err_ssl(1, "SSL_read %d", error);
308 if (error != 6)
309 errx(1, "read not 6 bytes hello: %d", error);
310 buf[6] = '\0';
311 printf("<<< %s", buf);
312 if (fflush(stdout) != 0)
313 err(1, "fflush stdout");
314
315 /* shutdown connection */
316 if ((error = SSL_shutdown(ssl)) < 0)
317 err_ssl(1, "SSL_shutdown unidirectional %d", error);
318 if (error <= 0) {
319 if ((error = SSL_shutdown(ssl)) <= 0)
320 err_ssl(1, "SSL_shutdown bidirectional %d",
321 error);
322 }
323
324 SSL_free(ssl);
325 } while (sessionreuse--);
326
327 SSL_CTX_free(ctx);
328
329 printf("success\n");
330
331 return 0;
332}
diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile
deleted file mode 100644
index 12d3eb2af7..0000000000
--- a/src/regress/lib/libssl/interop/session/Makefile
+++ /dev/null
@@ -1,46 +0,0 @@
1# $OpenBSD: Makefile,v 1.6 2020/12/17 00:51:11 bluhm Exp $
2
3LIBRARIES = libressl
4.if exists(/usr/local/bin/eopenssl)
5LIBRARIES += openssl
6.endif
7.if exists(/usr/local/bin/eopenssl11)
8LIBRARIES += openssl11
9.endif
10
11run-session-client-libressl-server-libressl \
12run-session-client-libressl-server-openssl11 \
13run-session-client-openssl11-server-libressl \
14run-session-client-openssl11-server-openssl11:
15 # TLS 1.3 needs some extra setup for session reuse
16 @echo DISABLED
17
18.for clib in ${LIBRARIES}
19.for slib in ${LIBRARIES}
20
21REGRESS_TARGETS += run-session-client-${clib}-server-${slib}
22
23run-session-client-${clib}-server-${slib}: \
24 127.0.0.1.crt ../${clib}/client ../${slib}/server
25 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
26 ../${slib}/server >${@:S/^run/server/}.out \
27 -ss \
28 127.0.0.1 0
29 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
30 ../${clib}/client >${@:S/^run/client/}.out \
31 -ss \
32 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
33 grep '^success$$' ${@:S/^run/server/}.out || \
34 { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; }
35 grep '^success$$' ${@:S/^run/client/}.out
36 grep '^session 2: new$$' ${@:S/^run/server/}.out
37 grep '^session 2: new$$' ${@:S/^run/client/}.out
38 grep '^session 1: reuse$$' ${@:S/^run/server/}.out
39 grep '^session 1: reuse$$' ${@:S/^run/client/}.out
40 grep '^session 0: reuse$$' ${@:S/^run/server/}.out
41 grep '^session 0: reuse$$' ${@:S/^run/client/}.out
42
43.endfor
44.endfor
45
46.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/util.c b/src/regress/lib/libssl/interop/util.c
deleted file mode 100644
index 5190e81828..0000000000
--- a/src/regress/lib/libssl/interop/util.c
+++ /dev/null
@@ -1,145 +0,0 @@
1/* $OpenBSD: util.c,v 1.3 2018/11/09 06:30:41 bluhm Exp $ */
2/*
3 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <sys/types.h>
19#include <sys/socket.h>
20
21#include <err.h>
22#include <netdb.h>
23#include <stdio.h>
24
25#include <openssl/err.h>
26#include <openssl/ssl.h>
27#include <openssl/opensslv.h>
28#include <openssl/crypto.h>
29
30#include "util.h"
31
32void
33print_version(void)
34{
35#ifdef OPENSSL_VERSION_NUMBER
36 printf("OPENSSL_VERSION_NUMBER: %#08lx\n", OPENSSL_VERSION_NUMBER);
37#endif
38#ifdef LIBRESSL_VERSION_NUMBER
39 printf("LIBRESSL_VERSION_NUMBER: %#08lx\n", LIBRESSL_VERSION_NUMBER);
40#endif
41#ifdef LIBRESSL_VERSION_TEXT
42 printf("LIBRESSL_VERSION_TEXT: %s\n", LIBRESSL_VERSION_TEXT);
43#endif
44#if OPENSSL_VERSION_NUMBER >= 0x1010000f
45 printf("OpenSSL_version_num: %#08lx\n", OpenSSL_version_num());
46 printf("OpenSSL_version OPENSSL_VERSION: %s\n",
47 OpenSSL_version(OPENSSL_VERSION));
48 printf("OpenSSL_version OPENSSL_CFLAGS: %s\n",
49 OpenSSL_version(OPENSSL_CFLAGS));
50 printf("OpenSSL_version OPENSSL_BUILT_ON: %s\n",
51 OpenSSL_version(OPENSSL_BUILT_ON));
52 printf("OpenSSL_version OPENSSL_PLATFORM: %s\n",
53 OpenSSL_version(OPENSSL_PLATFORM));
54 printf("OpenSSL_version OPENSSL_DIR: %s\n",
55 OpenSSL_version(OPENSSL_DIR));
56 printf("OpenSSL_version OPENSSL_ENGINES_DIR: %s\n",
57 OpenSSL_version(OPENSSL_ENGINES_DIR));
58#endif
59 printf("SSLeay: %#08lx\n", SSLeay());
60 printf("SSLeay_version SSLEAY_VERSION: %s\n",
61 SSLeay_version(SSLEAY_VERSION));
62 printf("SSLeay_version SSLEAY_CFLAGS: %s\n",
63 SSLeay_version(SSLEAY_CFLAGS));
64 printf("SSLeay_version SSLEAY_BUILT_ON: %s\n",
65 SSLeay_version(SSLEAY_BUILT_ON));
66 printf("SSLeay_version SSLEAY_PLATFORM: %s\n",
67 SSLeay_version(SSLEAY_PLATFORM));
68 printf("SSLeay_version SSLEAY_DIR: %s\n",
69 SSLeay_version(SSLEAY_DIR));
70}
71
72void
73print_ciphers(STACK_OF(SSL_CIPHER) *cstack)
74{
75 const SSL_CIPHER *cipher;
76 int i;
77
78 for (i = 0; (cipher = sk_SSL_CIPHER_value(cstack, i)) != NULL; i++)
79 printf("cipher %s\n", SSL_CIPHER_get_name(cipher));
80 if (fflush(stdout) != 0)
81 err(1, "fflush stdout");
82}
83
84void
85print_sockname(BIO *bio)
86{
87 struct sockaddr_storage ss;
88 socklen_t slen;
89 char host[NI_MAXHOST], port[NI_MAXSERV];
90 int fd;
91
92 if (BIO_get_fd(bio, &fd) <= 0)
93 err_ssl(1, "BIO_get_fd");
94 slen = sizeof(ss);
95 if (getsockname(fd, (struct sockaddr *)&ss, &slen) == -1)
96 err(1, "getsockname");
97 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
98 sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV))
99 errx(1, "getnameinfo");
100 printf("sock: %s %s\n", host, port);
101 if (fflush(stdout) != 0)
102 err(1, "fflush stdout");
103}
104
105void
106print_peername(BIO *bio)
107{
108 struct sockaddr_storage ss;
109 socklen_t slen;
110 char host[NI_MAXHOST], port[NI_MAXSERV];
111 int fd;
112
113 if (BIO_get_fd(bio, &fd) <= 0)
114 err_ssl(1, "BIO_get_fd");
115 slen = sizeof(ss);
116 if (getpeername(fd, (struct sockaddr *)&ss, &slen) == -1)
117 err(1, "getpeername");
118 if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
119 sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV))
120 errx(1, "getnameinfo");
121 printf("peer: %s %s\n", host, port);
122 if (fflush(stdout) != 0)
123 err(1, "fflush stdout");
124}
125
126void
127err_ssl(int eval, const char *fmt, ...)
128{
129 va_list ap;
130
131 ERR_print_errors_fp(stderr);
132 va_start(ap, fmt);
133 verrx(eval, fmt, ap);
134 va_end(ap);
135}
136
137int
138verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
139{
140 printf("verify: %s\n", preverify_ok ? "pass" : "fail");
141 if (fflush(stdout) != 0)
142 err(1, "fflush stdout");
143
144 return preverify_ok;
145}
diff --git a/src/regress/lib/libssl/interop/util.h b/src/regress/lib/libssl/interop/util.h
deleted file mode 100644
index 7414a037d7..0000000000
--- a/src/regress/lib/libssl/interop/util.h
+++ /dev/null
@@ -1,23 +0,0 @@
1/* $OpenBSD: util.h,v 1.3 2018/11/09 06:30:41 bluhm Exp $ */
2/*
3 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18void print_version(void);
19void print_ciphers(STACK_OF(SSL_CIPHER) *);
20void print_sockname(BIO *);
21void print_peername(BIO *);
22void err_ssl(int, const char *, ...);
23int verify_callback(int, X509_STORE_CTX *);
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
deleted file mode 100644
index 7ac86ccbeb..0000000000
--- a/src/regress/lib/libssl/interop/version/Makefile
+++ /dev/null
@@ -1,103 +0,0 @@
1# $OpenBSD: Makefile,v 1.3 2020/12/17 00:51:12 bluhm Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS
5# version number. Incompatible versions must fail. Check that client
6# and server have used correct version by grepping in their session
7# print out.
8
9LIBRARIES = libressl
10.if exists(/usr/local/bin/eopenssl)
11LIBRARIES += openssl
12.endif
13.if exists(/usr/local/bin/eopenssl11)
14LIBRARIES += openssl11
15.endif
16
17VERSIONS = any TLS1 TLS1_1 TLS1_2 TLS1_3
18
19.for cver in ${VERSIONS}
20.for sver in ${VERSIONS}
21
22.if "${cver}" == any || "${sver}" == any || "${cver}" == "${sver}"
23FAIL_${cver}_${sver} =
24.else
25FAIL_${cver}_${sver} = !
26.endif
27
28.for clib in ${LIBRARIES}
29.for slib in ${LIBRARIES}
30
31.if ("${clib}" != openssl && "${slib}" != openssl) || \
32 ("${cver}" != TLS1_3 && "${sver}" != TLS1_3)
33
34.if ("${clib}" == "libressl" || "${slib}" == "libressl")
35REGRESS_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver}
36.else
37REGRESS_SLOW_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver}
38.endif
39
40run-version-client-${clib}-${cver}-server-${slib}-${sver} \
41client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \
42server-version-client-${clib}-${cver}-server-${slib}-${sver}.out: \
43 127.0.0.1.crt ../${clib}/client ../${slib}/server
44 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
45 ../${slib}/server >${@:S/^run/server/}.out \
46 -c 127.0.0.1.crt -k 127.0.0.1.key \
47 ${sver:Nany:S/^/-V /} \
48 127.0.0.1 0
49 ${FAIL_${cver}_${sver}} \
50 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
51 ../${clib}/client >${@:S/^run/client/}.out \
52 ${cver:Nany:S/^/-V /} \
53 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
54.if empty(${FAIL_${cver}_${sver}})
55 grep -q '^success$$' ${@:S/^run/server/}.out || \
56 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
57 grep -q '^success$$' ${@:S/^run/client/}.out
58.endif
59
60.if empty(${FAIL_${cver}_${sver}})
61
62.if ("${clib}" == "libressl" || "${slib}" == "libressl")
63REGRESS_TARGETS += check-version-client-${clib}-${cver}-server-${slib}-${sver}
64.else
65REGRESS_SLOW_TARGETS += check-version-client-${clib}-${cver}-server-${slib}-${sver}
66.endif
67
68check-version-client-${clib}-${cver}-server-${slib}-${sver}: \
69 client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \
70 server-version-client-${clib}-${cver}-server-${slib}-${sver}.out
71 @grep ' Protocol *: ' ${@:S/^check/client/}.out
72 @grep ' Protocol *: ' ${@:S/^check/server/}.out
73.if "${cver}" == any
74.if "${sver}" == any
75.if "${clib}" == openssl || "${slib}" == openssl
76 grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/client/}.out
77 grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/server/}.out
78.else
79 grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out
80 grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out
81.endif
82.else
83 grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
84 ${@:S/^check/client/}.out
85 grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
86 ${@:S/^check/server/}.out
87.endif
88.else
89 grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \
90 ${@:S/^check/client/}.out
91 grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \
92 ${@:S/^check/server/}.out
93.endif
94.endif
95
96.endif
97
98.endfor
99.endfor
100.endfor
101.endfor
102
103.include <bsd.regress.mk>
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-26 20:38:22 +0000