1 files changed, 129 insertions, 0 deletions
diff --git a/src/regress/usr.bin/openssl/x509/Makefile b/src/regress/usr.bin/openssl/x509/Makefile
new file mode 100644
index 0000000000..b20cb1d9bd
--- /dev/null
+++ b/src/regress/usr.bin/openssl/x509/Makefile
@@ -0,0 +1,129 @@
+# $OpenBSD: Makefile,v 1.1 2021/02/16 21:39:17 jan Exp $
+# Copyright (c) 2021 Jan Klemkow <j.klemkow@wemelug.de>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+# This regression test is based on manual test descriptions from:
+# https://github.com/noxxi/libressl-tests
+# The following port must be installed for the regression tests:
+# p5-IO-Socket-SSL      perl interface to SSL sockets
+PERL =          perl
+OPENSSL ?=      openssl
+PKG_REQUIRE != pkg_info -e 'p5-IO-Socket-SSL-*'
+.if empty (PKG_REQUIRE)
+regress:
+        @echo "missing package p5-IO-Socket-SSL"
+        @echo SKIPPED
+.endif
+REGRESS_TARGETS +=      test-inlabel-wildcard-cert-no-CA-client
+REGRESS_TARGETS +=      test-inlabel-wildcard-cert-CA-client
+REGRESS_TARGETS +=      test-common-wildcard-cert-no-CA-client
+REGRESS_TARGETS +=      test-common-wildcard-cert-CA-client
+REGRESS_TARGETS +=      test-verify-unusual-wildcard-cert
+REGRESS_TARGETS +=      test-openssl-verify-common-wildcard-cert
+REGRESS_TARGETS +=      test-chain-certificates-s_server
+REGRESS_TARGETS +=      test-alternative-chain
+REGRESS_CLEANUP =       cleanup-ssl
+REGRESS_SETUP_ONCE =    create-libressl-test-certs
+REGRESS_EXPECTED_FAILURES +=    test-unusual-wildcard-cert-no-CA-client
+REGRESS_EXPECTED_FAILURES +=    test-common-wildcard-cert-no-CA-client
+REGRESS_EXPECTED_FAILURES +=    test-common-wildcard-cert-CA-client
+REGRESS_EXPECTED_FAILURES +=    test-verify-unusual-wildcard-cert
+create-libressl-test-certs: create-libressl-test-certs.pl
+        ${PERL} ${.CURDIR}/$@.pl
+cleanup-ssl:
+        rm *.pem *.key
+test-inlabel-wildcard-cert-no-CA-client:
+        # unusual wildcard cert, no CA given to client
+        # start server
+        ${OPENSSL} s_server -cert server-unusual-wildcard.pem \
+            -key server-unusual-wildcard.pem & \
+            timeout=$$(($$(date +%s) + 5)); \
+            while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+                do test $$(date +%s) -lt $$timeout || exit 1; done
+        # start client
+        echo "Q" | ${OPENSSL} s_client -verify_return_error \
+            | grep "Verify return code: 21"
+test-inlabel-wildcard-cert-CA-client:
+        # unusual wildcard cert, CA given to client
+        # start server
+        ${OPENSSL} s_server -cert server-unusual-wildcard.pem \
+            -key server-unusual-wildcard.pem & \
+            timeout=$$(($$(date +%s) + 5)); \
+            while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+                do test $$(date +%s) -lt $$timeout || exit 1; done
+        # start client
+        echo "Q" | ${OPENSSL} s_client -CAfile caR.pem \
+            | grep "Verify return code: 0"
+test-common-wildcard-cert-no-CA-client:
+        # common wildcard cert, no CA given to client
+        # start server
+        ${OPENSSL} s_server -cert server-common-wildcard.pem \
+            -key server-common-wildcard.pem & \
+            timeout=$$(($$(date +%s) + 5)); \
+            while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+                do test $$(date +%s) -lt $$timeout || exit 1; done
+        # start client
+        echo "Q" | ${OPENSSL} s_client \
+            | grep "Verify return code: 21"
+test-common-wildcard-cert-CA-client:
+        # common wildcard cert, CA given to client
+        # start server
+        ${OPENSSL} s_server -cert server-unusual-wildcard.pem \
+            -key server-unusual-wildcard.pem & \
+            timeout=$$(($$(date +%s) + 5)); \
+            while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+                do test $$(date +%s) -lt $$timeout || exit 1; done
+        # start client
+        echo "Q" | ${OPENSSL} s_client -CAfile caR.pem \
+            | grep "Verify return code: 21"
+test-verify-unusual-wildcard-cert:
+        # openssl verify, unusual wildcard cert
+        ${OPENSSL} verify -CAfile caR.pem server-unusual-wildcard.pem \
+            | grep "server-unusual-wildcard.pem: OK"
+test-openssl-verify-common-wildcard-cert:
+        # openssl verify, common wildcard cert
+        ${OPENSSL} verify -CAfile caR.pem server-common-wildcard.pem \
+            | grep "server-common-wildcard.pem: OK"
+test-chain-certificates-s_server:
+        # Not all chain certificates are sent in s_server
+        # start server
+        # ${OPENSSL} s_server -cert server-subca.pem        -CAfile subcaR.pem
+        ${OPENSSL} s_server -cert server-subca-chainS.pem -CAfile subcaR.pem & \
+            timeout=$$(($$(date +%s) + 5)); \
+            while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
+                do test $$(date +%s) -lt $$timeout || exit 1; done
+        # start client
+         ${OPENSSL} s_client -CAfile caR.pem | grep "Verify return code: 0"
+test-alternative-chain:
+        # alternative chain not found
+        ${OPENSSL} verify -verbose -trusted caR.pem -untrusted chainSX.pem \
+           server-subca.pem | grep "server-subca.pem: OK"
+.include <bsd.regress.mk>

diff --git a/src/regress/usr.bin/openssl/x509/Makefile b/src/regress/usr.bin/openssl/x509/Makefile new file mode 100644 index 0000000000..b20cb1d9bd --- /dev/null +++ b/src/regress/usr.bin/openssl/x509/Makefile
@@ -0,0 +1,129 @@
	1	# $OpenBSD: Makefile,v 1.1 2021/02/16 21:39:17 jan Exp $
	2
	3	# Copyright (c) 2021 Jan Klemkow <j.klemkow@wemelug.de>
	4	#
	5	# Permission to use, copy, modify, and distribute this software for any
	6	# purpose with or without fee is hereby granted, provided that the above
	7	# copyright notice and this permission notice appear in all copies.
	8	#
	9	# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16
	17	# This regression test is based on manual test descriptions from:
	18	# https://github.com/noxxi/libressl-tests
	19
	20	# The following port must be installed for the regression tests:
	21	# p5-IO-Socket-SSL perl interface to SSL sockets
	22
	23	PERL = perl
	24	OPENSSL ?= openssl
	25
	26	PKG_REQUIRE != pkg_info -e 'p5-IO-Socket-SSL-*'
	27	.if empty (PKG_REQUIRE)
	28	regress:
	29	@echo "missing package p5-IO-Socket-SSL"
	30	@echo SKIPPED
	31	.endif
	32
	33	REGRESS_TARGETS += test-inlabel-wildcard-cert-no-CA-client
	34	REGRESS_TARGETS += test-inlabel-wildcard-cert-CA-client
	35	REGRESS_TARGETS += test-common-wildcard-cert-no-CA-client
	36	REGRESS_TARGETS += test-common-wildcard-cert-CA-client
	37	REGRESS_TARGETS += test-verify-unusual-wildcard-cert
	38	REGRESS_TARGETS += test-openssl-verify-common-wildcard-cert
	39	REGRESS_TARGETS += test-chain-certificates-s_server
	40	REGRESS_TARGETS += test-alternative-chain
	41	REGRESS_CLEANUP = cleanup-ssl
	42	REGRESS_SETUP_ONCE = create-libressl-test-certs
	43
	44	REGRESS_EXPECTED_FAILURES += test-unusual-wildcard-cert-no-CA-client
	45	REGRESS_EXPECTED_FAILURES += test-common-wildcard-cert-no-CA-client
	46	REGRESS_EXPECTED_FAILURES += test-common-wildcard-cert-CA-client
	47	REGRESS_EXPECTED_FAILURES += test-verify-unusual-wildcard-cert
	48
	49	create-libressl-test-certs: create-libressl-test-certs.pl
	50	${PERL} ${.CURDIR}/$@.pl
	51
	52	cleanup-ssl:
	53	rm .pem .key
	54
	55	test-inlabel-wildcard-cert-no-CA-client:
	56	# unusual wildcard cert, no CA given to client
	57	# start server
	58	${OPENSSL} s_server -cert server-unusual-wildcard.pem \
	59	-key server-unusual-wildcard.pem & \
	60	timeout=$$(($$(date +%s) + 5)); \
	61	while fstat -p $$! \| ! grep -q 'tcp .* \*:4433$$'; \
	62	do test $$(date +%s) -lt $$timeout \|\| exit 1; done
	63	# start client
	64	echo "Q" \| ${OPENSSL} s_client -verify_return_error \
	65	\| grep "Verify return code: 21"
	66
	67	test-inlabel-wildcard-cert-CA-client:
	68	# unusual wildcard cert, CA given to client
	69	# start server
	70	${OPENSSL} s_server -cert server-unusual-wildcard.pem \
	71	-key server-unusual-wildcard.pem & \
	72	timeout=$$(($$(date +%s) + 5)); \
	73	while fstat -p $$! \| ! grep -q 'tcp .* \*:4433$$'; \
	74	do test $$(date +%s) -lt $$timeout \|\| exit 1; done
	75	# start client
	76	echo "Q" \| ${OPENSSL} s_client -CAfile caR.pem \
	77	\| grep "Verify return code: 0"
	78
	79	test-common-wildcard-cert-no-CA-client:
	80	# common wildcard cert, no CA given to client
	81	# start server
	82	${OPENSSL} s_server -cert server-common-wildcard.pem \
	83	-key server-common-wildcard.pem & \
	84	timeout=$$(($$(date +%s) + 5)); \
	85	while fstat -p $$! \| ! grep -q 'tcp .* \*:4433$$'; \
	86	do test $$(date +%s) -lt $$timeout \|\| exit 1; done
	87	# start client
	88	echo "Q" \| ${OPENSSL} s_client \
	89	\| grep "Verify return code: 21"
	90
	91	test-common-wildcard-cert-CA-client:
	92	# common wildcard cert, CA given to client
	93	# start server
	94	${OPENSSL} s_server -cert server-unusual-wildcard.pem \
	95	-key server-unusual-wildcard.pem & \
	96	timeout=$$(($$(date +%s) + 5)); \
	97	while fstat -p $$! \| ! grep -q 'tcp .* \*:4433$$'; \
	98	do test $$(date +%s) -lt $$timeout \|\| exit 1; done
	99	# start client
	100	echo "Q" \| ${OPENSSL} s_client -CAfile caR.pem \
	101	\| grep "Verify return code: 21"
	102
	103	test-verify-unusual-wildcard-cert:
	104	# openssl verify, unusual wildcard cert
	105	${OPENSSL} verify -CAfile caR.pem server-unusual-wildcard.pem \
	106	\| grep "server-unusual-wildcard.pem: OK"
	107
	108	test-openssl-verify-common-wildcard-cert:
	109	# openssl verify, common wildcard cert
	110	${OPENSSL} verify -CAfile caR.pem server-common-wildcard.pem \
	111	\| grep "server-common-wildcard.pem: OK"
	112
	113	test-chain-certificates-s_server:
	114	# Not all chain certificates are sent in s_server
	115	# start server
	116	# ${OPENSSL} s_server -cert server-subca.pem -CAfile subcaR.pem
	117	${OPENSSL} s_server -cert server-subca-chainS.pem -CAfile subcaR.pem & \
	118	timeout=$$(($$(date +%s) + 5)); \
	119	while fstat -p $$! \| ! grep -q 'tcp .* \*:4433$$'; \
	120	do test $$(date +%s) -lt $$timeout \|\| exit 1; done
	121	# start client
	122	${OPENSSL} s_client -CAfile caR.pem \| grep "Verify return code: 0"
	123
	124	test-alternative-chain:
	125	# alternative chain not found
	126	${OPENSSL} verify -verbose -trusted caR.pem -untrusted chainSX.pem \
	127	server-subca.pem \| grep "server-subca.pem: OK"
	128
	129	.include <bsd.regress.mk>