summaryrefslogtreecommitdiff
path: root/src/regress/lib/libssl/interop (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Interop tests for openssl 3.3 and 3.4, retire 3.2, 1.1 (and 3.1 remnants)tb2025-01-1512-191/+130
| | | | | | OpenSSL 1.1 and 3.2 will be removed from the ports tree, so test the two remaining versions. Unfortunately, this requires a lot more manual massaging than there should be.
* Suppress warning noise from deprecated OpenSSL APItb2024-10-221-1/+2
|
* Drop OpenSSL 3.0 interop testing infrastructuretb2024-08-188-75/+11
| | | | | The openssl 3.0 port was removed nearly a year ago shortly after the 7.4 release.
* Add support for openssl32 in interop testtb2024-08-187-9/+70
|
* Remove GOST and STREEBOG support from libssl.beck2024-02-032-26/+4
| | | | | | | | | | | | | | | | | | This version of GOST is old and not anywhere close to compliant with modern GOST standards. It is also very intrusive in libssl and makes a mess everywhere. Efforts to entice a suitably minded anyone to care about it have been unsuccessful. At this point it is probably best to remove this, and if someone ever showed up who truly needed a working version, it should be a clean implementation from scratch, and have it use something closer to the typical API in libcrypto so it would integrate less painfully here. This removes it from libssl in preparation for it's removal from libcrypto with a future major bump ok tb@
* Add support for OpenSSL 3.1 interop teststb2023-10-308-11/+74
| | | | | | Until OpenSSL 3.1 has replaced OpenSSL 3.0 on most architectures, run both tests. Installed packages of OpenSSL 3.0 will update automatically to 3.1, so regress runners should not need to do anything.
* Make libssl interop server/client tests less flaky by ensuring theanton2023-10-181-1/+3
| | | | server has terminated before examining the outcome.
* Disable TLS 1.0 and TLS 1.1 in libsslbeck2023-07-021-2/+2
| | | | | | | | | | | | Their time has long since past, and they should not be used. This change restricts ssl to versions 1.2 and 1.3, and changes the regression tests to understand we no longer speak the legacy protocols. For the moment the magical "golden" byte for byte comparison tests of raw handshake values are disabled util jsing fixes them. ok jsing@ tb@
* interop: work around extreme REGRESS_SKIP_SLOW slownesstb2023-04-193-8/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A few years back beck introduced REGRESS_SKIP_SLOW dances with the idea that this should speed up the interop tests for us devs because this also checked interop between opensslX and opensslY, which we don't particularly care about. This never really worked. On a mac m1 mini the result is this: REGRESS_SKIP_SLOW unset 9m56.69s real 3m42.24s user 3m00.70s system REGRESS_SKIP_SLOW=yes 11m04.61s real 7m29.61s user 1m40.29s system The problem is that REGRESS_SKIP_SLOW simply wasn't designed to handle the huge number of tests we have here. There are many nested .for loops resulting in several thousand tests. Each test has a name of length ~80. REGRESS_SKIP_SLOW concatenates them into a several hundred kilobytes long string in REGRESS_SKIP_TARGETS, iterates over all regress targets and tests with ".if ${REGRESS_SKIP_TARGETS:M${RT}}" if it should skip them. This means that during a regress run, make spends a lot of time linearly scanning a huge string. I ran into this when I added OpenSSL 3.0 tests to the already existing 1.0.2 and 1.1 tests with the result that with REGRESS_SLOW_TARGTS set it took the better part of an hour while without it it took about 15 min. The hack here is simply to avoid using REGRESS_SLOW_TARGTES here and handle the situation differently. patch, REGRESS_SKIP_SLOW=yes 5m42.32s real 2m09.98s user 1m45.21s system The real solution would be to fix this in bsd.regress.mk, which someone who understands make well is very welcome to do. For now, I'm happy with this. Debugged with jsing a few months ago
* Don't run session tests with openssl 3.0 - these tests aren't TLSv1.3 readytb2023-02-011-2/+2
|
* Hopefully the last one.tb2023-02-011-4/+4
|
* One more openssl 1.0.2 thing missed.tb2023-02-011-4/+4
|
* Switch from eopenssl to eopenssl30. Missed in both previous commitstb2023-02-011-4/+4
| | | | for some reason.
* Retire OpenSSL 1.0.2 interoptb2023-02-017-93/+13
| | | | | | Now that the OpenSSL 1.0.2 port is gone, there's no need to keep the interop tests anymore. anton's and bluhm's regress tests will switch to testing interoperability with OpenSSL 3.0.
* Add openssl 3.0 interop teststb2023-01-275-12/+70
| | | | | | | | | | The plan is to retire the 1.0.2 interop tests soon so as to be able to drop the dead and dangerous OpenSSL 1.0.2 port. The cert part is extremely slow on arm64: the whole interop test on an m1 is about 10x slower (~45 min!) than on a modern amd64 laptop, so people running regress may want to wait a bit with adding OpenSSL 3 to their test boxes until this is sorted out.
* Only run tests against ciphers supported by the method.tb2022-07-072-4/+28
|
* Add a workaround due to OpenSSL's limitation of SSL_CTX_set_cipher_listtb2022-02-051-1/+5
| | | | | | | | | | | | | | | | SSL_CTX_set_cipher_list() in OpenSSL 1.1 does not accept TLSv1.3 ciphers. This wasn't a problem until now since the AEAD- ciphers were counted as distinct from TLS_ ciphers by the regress test, so they were never used in the {run,check}-cipher-${cipher}-client-${clib}-server-${slib} tests With the renaming, the TLSv1.3 ciphers are now considered as common ciphers, so they're tested. With openssl11 this results in 0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2573: The design of these tests doesn't allow easily adding a call to SSL_CTX_set_ciphersuites (since they also need to work with openssl 1.0.2) so skip the TLS_* ciphers for the time being.
* Mechanically adjust from AEAD- to TLS_ to adjust to the new cipher names.tb2022-02-051-10/+5
|
* Tell testers which packages to install right away (and why)kn2021-12-023-3/+7
| | | | | | | Other regress tests do it differently; just fix/thouch those that did not mention any package name at all. This helps grepping logs for SKIPPED to find instructions for the next run.
* Make Bob happy.bluhm2021-09-031-1/+5
|
* Revert accidental committb2021-08-301-2/+2
|
* link verify regress tests to buildtb2021-08-301-2/+2
|
* alarm(3) cannot fail, remove error handling.bluhm2021-07-061-3/+2
| | | | suggested by millert@
* Add to *FLAGS and *ADD rather than overwriting themtb2020-12-251-6/+6
| | | | | This makes CFLAGS pick up -O2, which shaves a few seconds runtime off these very slow tests.
* Remove echo headlines.bluhm2020-12-1710-33/+10
|
* botan2 uses C++11, so use ports-gcc on gcc-archstb2020-10-301-1/+12
| | | | This makes this interop test pass on sparc64.
* Do not fail with obscure error messages on 'make'tb2020-10-293-6/+12
| | | | | | | | | | | Fix some tests that fail with obscure error messages on 'make' if the required package (either version of OpenSSL or Botan 2) isn't installed. This can be avoided by doing 'make regress' instead. I'll try to adjust my finger memory for the many tests outside the LibreSSL tree that have the same "problem". The fix here is unintrusive and I've been wasting enough time with this to want to change it. ok bluhm
* 1) Move the interop tests to the end so we see tlsfuzzer firstbeck2020-09-214-7/+33
| | | | | | | | | | 2) Reorder the interop tests so the really slow "cert" test is at the end 3) Change the cert tests to use REGRESS_SLOW_TARGETS when testing combination of client and server that does not involve libressl. This way we can skip testing openssl to openssl11 when running these manually by setting REGRESS_SKIP_SLOW to "yet" in mk.conf ok jsing@
* Test botan TLS client with libressl, openssl, openssl11 server.bluhm2020-09-154-6/+305
|
* Connect a client to a server. Both can be current libressl, orbluhm2020-09-145-10/+193
| | | | | | | openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS version number. Incompatible versions must fail. Check that client and server have used correct version by grepping in their session print out.
* If CPU does not support AES-NI, LibreSSL TLS 1.3 client prefersbluhm2020-09-121-9/+18
| | | | chacha-poly over aes-gcm. Expect both fallbacks for non 1.3 ciphers.
* Enable cert and cipher interop tests. cert just works. cipher hasbluhm2020-09-113-55/+35
| | | | | | | | been fixed to work with libressl TLS 1.3. Both libressl and openssl11 replace obsolete TLS 1.2 ciphers with AEAD-AES256-GCM-SHA384 or TLS_AES_256_GCM_SHA384 in TLS 1.3 respectively. The test expects that now. Currently GOST does not work with libressl and TLS 1.3 and is disabled.
* Revise regress for TLSv1.3 server being enabled.jsing2020-05-113-9/+9
|
* Disable cert interop tests for now.jsing2020-01-251-2/+2
| | | | | | | | The libressl TLSv1.3 client and server currently lack client certificate authentication support and this test expects all clients can auth with all servers. We can likely turn this back on in the near future.
* Actually disable cipher interop tests.jsing2020-01-251-3/+3
|
* Disable the cipher interop tests.jsing2020-01-251-3/+4
| | | | | | | | | | These make far too many assumptions about cipher suites - TLSv1.3 cipher suites can only be used with TLSv1.3 and there is tests using TLSv1.3 cipher suites with TLSv1.2 will not work. Likewise, expecting TLSv1.2 cipher suites to work with TLSv1.3 is futile. Additionally, eopenssl11 lists TLSv1.3 cipher suites with different names to libressl. Futher work will be necessary before this can be re-enabled.
* Accept both TLSv1.2 and TLSv1.3 protocols for netcat.jsing2020-01-251-4/+3
| | | | | This can potentially be improved by adding knowledge about which libraries support which versions and handle differences between clients and servers.
* Disable session regress for libressl client talking to openssl11 server.jsing2020-01-251-1/+2
| | | | This is now talking over TLSv1.3 and needs session support.
* Enable GOST cipher selection test after libssl has been fixed.bluhm2019-03-281-6/+1
|
* Fix typo in usage and comment.bluhm2019-03-213-6/+6
|
* Test that all supported TLS ciphers actually work. Establishbluhm2019-02-218-26/+308
| | | | | | connections between client and server implemented with LibreSSL or OpenSSL with a fixed cipher on each side. Check the used cipher in the session print out.
* getopt(3) returns int, not char. Fix type of ch variable to preventbluhm2019-02-112-6/+6
| | | | sign error during arm regress.
* Fix a race in libssl interop regress. The success messages frombluhm2018-11-113-6/+9
| | | | | the server child could be delayed. In this case wait a second and check again.
* Reorganize libssl interop tests. Move netcat tests into separatebluhm2018-11-119-148/+197
| | | | | directory. Keep all log files for easier debugging. Name regress target names consistently.
* Regress client and server can do session reuse now. Test this withbluhm2018-11-106-129/+220
| | | | | all combinations of LibreSSL, OpenSSL 1.0.2, and OpenSSL 1.1. It is currently disabled for TLS 1.3 as this needs more setup.
* The cert subdir is testing all combinations of certificate validation.bluhm2018-11-0911-48/+244
| | | | | | Having the three libraries, client and server certificates, missing or invalid CA or certificates, and enforcing peer certificate results in 1944 new test cases.
* Add a self test for each SSL library by connecting client withbluhm2018-11-075-23/+88
| | | | | | server. Check that the highest available TLS version is selected. LibreSSL TLS 1.3 check is disabled until the feature becomes available.
* Add interop test with OpenSSL 1.1. TLS 1.3 should be used automaticallybluhm2018-11-075-10/+55
| | | | | when it becomes available in LibreSSL. thanks to sthen@ for the new OpenSSL port
* Print SSLeay, OpenSSL, and LibreSSL version strings. Make clientbluhm2018-11-077-12/+71
| | | | | and server compile with OpenSSL 1.1. Check runtime version string of SSL library.
* Test TLS interoperability between LibreSSL and OpenSSL.bluhm2018-11-0710-0/+549
Implement simple SSL client and server in C. Create four binaries by linking them with LibreSSL or OpenSSL. This way API compatibility is tested. Connect and accept with netcat to test protocol compatibility with libtls. Currently OpenSSL 1.0.2p from ports is used. Plan is to move to OpenSSL 1.1 and and test TLS 1.3. idea from beck@; help from jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 13:12:52 +0000