From 5693217025086160333d0a12214c5bee3d7660fc Mon Sep 17 00:00:00 2001
From: bluhm <>
Date: Wed, 7 Nov 2018 20:46:28 +0000
Subject: Add a self test for each SSL library by connecting client with
 server.  Check that the highest available TLS version is selected. LibreSSL
 TLS 1.3 check is disabled until the feature becomes available.

---
 src/regress/lib/libssl/interop/Makefile.inc       | 57 +++++++++++++++++------
 src/regress/lib/libssl/interop/README             |  4 ++
 src/regress/lib/libssl/interop/libressl/Makefile  | 19 ++++++--
 src/regress/lib/libssl/interop/openssl/Makefile   | 13 ++++--
 src/regress/lib/libssl/interop/openssl11/Makefile | 18 +++++--
 5 files changed, 88 insertions(+), 23 deletions(-)

diff --git a/src/regress/lib/libssl/interop/Makefile.inc b/src/regress/lib/libssl/interop/Makefile.inc
index f209bdbd91..1a1ef30ca6 100644
--- a/src/regress/lib/libssl/interop/Makefile.inc
+++ b/src/regress/lib/libssl/interop/Makefile.inc
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile.inc,v 1.2 2018/11/07 06:29:26 bluhm Exp $
+# $OpenBSD: Makefile.inc,v 1.3 2018/11/07 20:46:28 bluhm Exp $
 
 .PATH:			${.CURDIR}/..
 
@@ -18,43 +18,72 @@ ldd-$p.out: $p
 
 # run netcat server and connect with test client
 
-CLEANFILES +=		client.out netcat-l.out netcat-l.fstat
+CLEANFILES +=		nc-client.out netcat-l.out netcat-l.fstat
 REGRESS_TARGETS +=	run-client
-client.out run-client: client 127.0.0.1.crt
+nc-client.out run-client: client 127.0.0.1.crt
 	@echo '\n======== $@ ========'
 	echo "greeting" | nc -l -c -C 127.0.0.1.crt -K 127.0.0.1.key \
 	    127.0.0.1 0 >netcat-l.out & \
 	    sleep 1; fstat -p $$! >netcat-l.fstat
 	LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ./client \
 	    `sed -n 's/.* stream tcp .*:/127.0.0.1 /p' netcat-l.fstat` \
-	    >client.out
+	    >nc-client.out
 	# check that the client run successfully to the end
-	grep -q '^success$$' client.out
+	grep -q '^success$$' nc-client.out
 	# client must have read server greeting
-	grep -q '^<<< greeting$$' client.out
+	grep -q '^<<< greeting$$' nc-client.out
 	# netstat server must have read client hello
 	grep -q '^hello$$' netcat-l.out
 
 # run test server and connect with netcat client
 
-CLEANFILES +=		server.out netcat.out
+CLEANFILES +=		nc-server.out netcat.out
 REGRESS_TARGETS +=	run-server
-server.out run-server: server 127.0.0.1.crt
+nc-server.out run-server: server 127.0.0.1.crt
 	@echo '\n======== $@ ========'
-	LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ./server 127.0.0.1 0 >server.out
+	LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ./server 127.0.0.1 0 \
+	    >nc-server.out
 	echo "hello" | nc -c -T noverify \
-	    `sed -n 's/listen sock: //p' server.out` \
+	    `sed -n 's/listen sock: //p' nc-server.out` \
 	    >netcat.out
 	# check that the server child run successfully to the end
-	grep -q '^success$$' server.out
+	grep -q '^success$$' nc-server.out
 	# server must have read client hello
-	grep -q '^<<< hello$$' server.out
+	grep -q '^<<< hello$$' nc-server.out
 	# client must have read server greeting
 	grep -q '^greeting$$' netcat.out
 
-# check that programs have used correct runtime library
+# run test server and with test client, self test the ssl library
 
-REGRESS_TARGETS +=	${PROGS:S/^/run-version-/}
+CLEANFILES +=		self-client.out self-server.out
+REGRESS_TARGETS +=	run-self
+self-client.out self-server.out run-self: client server 127.0.0.1.crt
+	@echo '\n======== $@ ========'
+	LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ./server 127.0.0.1 0 \
+	    >self-server.out
+	LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ./client \
+	    `sed -n 's/listen sock: //p' self-server.out` \
+	    >self-client.out
+	# check that the client run successfully to the end
+	grep -q '^success$$' self-client.out
+	# client must have read server greeting
+	grep -q '^<<< greeting$$' self-client.out
+	# check that the server child run successfully to the end
+	grep -q '^success$$' self-server.out
+	# server must have read client hello
+	grep -q '^<<< hello$$' self-server.out
+
+.for o in nc-client nc-server self-client self-server
+
+# check that client and server have used correct runtime library
+
+REGRESS_TARGETS +=	run-version-$o
+
+# check that client and server have used correct TLS protocol
+
+REGRESS_TARGETS +=	run-protocol-$o
+
+.endfor
 
 # create certificates for TLS
 
diff --git a/src/regress/lib/libssl/interop/README b/src/regress/lib/libssl/interop/README
index d8847e5ef5..1bd418c9cc 100644
--- a/src/regress/lib/libssl/interop/README
+++ b/src/regress/lib/libssl/interop/README
@@ -5,6 +5,10 @@ by linking them with LibreSSL or OpenSSL 1.0.2 or OpenSSL 1.1.  This
 way API compatibility is tested.  Connect and accept with netcat
 to test protocol compatibility with libtls.
 
+To self test each SSL library, connect client with server.  Check
+that the highest available TLS version is selected.  LibreSSL TLS
+1.3 check has to be enabled when the feature becomes available.
+
 Currently OpenSSL 1.0.2p and OpenSSL 1.1.1 from ports are used.  As
 soon as LibreSSL supports TLS 1.3, it should be used automatically
 when netcat is communicating with OpenSSL 1.1.
diff --git a/src/regress/lib/libssl/interop/libressl/Makefile b/src/regress/lib/libssl/interop/libressl/Makefile
index 5fce6c5c22..19557ffbc1 100644
--- a/src/regress/lib/libssl/interop/libressl/Makefile
+++ b/src/regress/lib/libssl/interop/libressl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.2 2018/11/07 06:29:26 bluhm Exp $
+# $OpenBSD: Makefile,v 1.3 2018/11/07 20:46:28 bluhm Exp $
 
 PROGS =			client server
 CPPFLAGS =
@@ -7,6 +7,12 @@ LDADD =			-lssl -lcrypto
 DPADD =			${LIBSSL} ${LIBCRYPTO}
 LD_LIBRARY_PATH =
 
+run-protocol-self-client run-protocol-self-server \
+run-protocol-nc-client run-protocol-nc-server:
+	@echo '\n======== $@ ========'
+	# LibreSSL does not support TLS 1.3 yet
+	@echo DISABLED
+
 .for p in ${PROGS}
 run-ldd-$p: ldd-$p.out
 	@echo '\n======== $@ ========'
@@ -15,11 +21,18 @@ run-ldd-$p: ldd-$p.out
 	grep -q /usr/lib/libssl.so ldd-$p.out
 	# check that $p is not linked with OpenSSL
 	! grep /usr/local/lib/ ldd-$p.out
+.endfor
 
-run-version-$p: $p.out
+.for o in nc-client nc-server self-client self-server
+run-version-$o: $o.out
 	@echo '\n======== $@ ========'
 	# check that runtime version is LibreSSL
-	grep 'SSLEAY_VERSION: LibreSSL' $p.out
+	grep 'SSLEAY_VERSION: LibreSSL' $o.out
+
+run-protocol-$o: $o.out
+	@echo '\n======== $@ ========'
+	# check that protocol version is TLS 1.3
+	grep 'Protocol *: TLSv1.3' $o.out
 .endfor
 
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl/Makefile b/src/regress/lib/libssl/interop/openssl/Makefile
index 9661767d7b..ad0c7288ca 100644
--- a/src/regress/lib/libssl/interop/openssl/Makefile
+++ b/src/regress/lib/libssl/interop/openssl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.2 2018/11/07 06:29:26 bluhm Exp $
+# $OpenBSD: Makefile,v 1.3 2018/11/07 20:46:28 bluhm Exp $
 
 .if ! exists(/usr/local/bin/eopenssl)
 regress:
@@ -22,11 +22,18 @@ run-ldd-$p: ldd-$p.out
 	grep -q /usr/local/lib/eopenssl/libssl.so ldd-$p.out
 	# check that $p is not linked with LibreSSL
 	! grep -v libc.so ldd-$p.out | grep /usr/lib/
+.endfor
 
-run-version-$p: $p.out
+.for o in nc-client nc-server self-client self-server
+run-version-$o: $o.out
 	@echo '\n======== $@ ========'
 	# check that runtime version is OpenSSL 1.0
-	grep 'SSLEAY_VERSION: OpenSSL 1.0' $p.out
+	grep 'SSLEAY_VERSION: OpenSSL 1.0' $o.out
+
+run-protocol-$o: $o.out
+	@echo '\n======== $@ ========'
+	# check that protocol version is TLS 1.2
+	grep 'Protocol *: TLSv1.2' $o.out
 .endfor
 
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl11/Makefile b/src/regress/lib/libssl/interop/openssl11/Makefile
index b11e08488a..e7257a3976 100644
--- a/src/regress/lib/libssl/interop/openssl11/Makefile
+++ b/src/regress/lib/libssl/interop/openssl11/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.1 2018/11/07 19:09:01 bluhm Exp $
+# $OpenBSD: Makefile,v 1.2 2018/11/07 20:46:28 bluhm Exp $
 
 .if ! exists(/usr/local/bin/eopenssl11)
 regress:
@@ -14,6 +14,11 @@ DPADD =			/usr/local/lib/eopenssl11/libssl.a \
 			/usr/local/lib/eopenssl11/libcrypto.a
 LD_LIBRARY_PATH =	/usr/local/lib/eopenssl11
 
+run-protocol-nc-client run-protocol-nc-server:
+	@echo '\n======== $@ ========'
+	# LibreSSL does not support TLS 1.3 yet
+	@echo DISABLED
+
 .for p in ${PROGS}
 run-ldd-$p: ldd-$p.out
 	@echo '\n======== $@ ========'
@@ -22,11 +27,18 @@ run-ldd-$p: ldd-$p.out
 	grep -q /usr/local/lib/eopenssl11/libssl.so ldd-$p.out
 	# check that $p is not linked with LibreSSL
 	! grep -v libc.so ldd-$p.out | grep /usr/lib/
+.endfor
 
-run-version-$p: $p.out
+.for o in nc-client nc-server self-client self-server
+run-version-$o: $o.out
 	@echo '\n======== $@ ========'
 	# check that runtime version is OpenSSL 1.1
-	grep 'SSLEAY_VERSION: OpenSSL 1.1' $p.out
+	grep 'SSLEAY_VERSION: OpenSSL 1.1' $o.out
+
+run-protocol-$o: $o.out
+	@echo '\n======== $@ ========'
+	# check that protocol version is TLS 1.3
+	grep 'Protocol *: TLSv1.3' $o.out
 .endfor
 
 .include <bsd.regress.mk>
-- 
cgit v1.2.3-55-g6feb