From 5f0eba55ef76d10d214ee6e9720f71139555905b Mon Sep 17 00:00:00 2001 From: tb <> Date: Wed, 15 Jan 2025 10:54:17 +0000 Subject: Interop tests for openssl 3.3 and 3.4, retire 3.2, 1.1 (and 3.1 remnants) OpenSSL 1.1 and 3.2 will be removed from the ports tree, so test the two remaining versions. Unfortunately, this requires a lot more manual massaging than there should be. --- src/regress/lib/libssl/interop/Makefile | 6 ++-- src/regress/lib/libssl/interop/botan/Makefile | 13 +++---- src/regress/lib/libssl/interop/cert/Makefile | 15 ++++---- src/regress/lib/libssl/interop/cipher/Makefile | 25 ++++++------- src/regress/lib/libssl/interop/netcat/Makefile | 13 +++---- src/regress/lib/libssl/interop/openssl11/Makefile | 43 ---------------------- src/regress/lib/libssl/interop/openssl31/Makefile | 43 ---------------------- src/regress/lib/libssl/interop/openssl32/Makefile | 44 ----------------------- src/regress/lib/libssl/interop/openssl33/Makefile | 44 +++++++++++++++++++++++ src/regress/lib/libssl/interop/openssl34/Makefile | 44 +++++++++++++++++++++++ src/regress/lib/libssl/interop/session/Makefile | 18 ++++------ src/regress/lib/libssl/interop/version/Makefile | 13 +++---- 12 files changed, 130 insertions(+), 191 deletions(-) delete mode 100644 src/regress/lib/libssl/interop/openssl11/Makefile delete mode 100644 src/regress/lib/libssl/interop/openssl31/Makefile delete mode 100644 src/regress/lib/libssl/interop/openssl32/Makefile create mode 100644 src/regress/lib/libssl/interop/openssl33/Makefile create mode 100644 src/regress/lib/libssl/interop/openssl34/Makefile diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile index 21dfce359d..bdc67f627a 100644 --- a/src/regress/lib/libssl/interop/Makefile +++ b/src/regress/lib/libssl/interop/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.20 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.21 2025/01/15 10:54:17 tb Exp $ -SUBDIR = libressl openssl11 openssl31 openssl32 +SUBDIR = libressl openssl33 openssl34 # the above binaries must have been built before we can continue SUBDIR += netcat @@ -10,7 +10,7 @@ SUBDIR += botan # What is below takes a long time. # setting REGRESS_SKIP_SLOW to "yes" in mk.conf # will skip the tests that do not test libressl -# but do things like test openssl11 to openssl 3 +# but do things like test openssl 3.x to openssl 3.y SUBDIR += version SUBDIR += cipher # This takes a really long time. diff --git a/src/regress/lib/libssl/interop/botan/Makefile b/src/regress/lib/libssl/interop/botan/Makefile index e20553012a..85877d4290 100644 --- a/src/regress/lib/libssl/interop/botan/Makefile +++ b/src/regress/lib/libssl/interop/botan/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.9 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $ .include @@ -20,14 +20,11 @@ CXX = /usr/local/bin/eg++ .endif LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 +.if exists(/usr/local/bin/eopenssl33) +LIBRARIES += openssl33 .endif -.if exists(/usr/local/bin/eopenssl31) -LIBRARIES += openssl31 -.endif -.if exists(/usr/local/bin/eopenssl32) -LIBRARIES += openssl32 +.if exists(/usr/local/bin/eopenssl34) +LIBRARIES += openssl34 .endif PROGS = client diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile index ab35d03d74..74c63c86a8 100644 --- a/src/regress/lib/libssl/interop/cert/Makefile +++ b/src/regress/lib/libssl/interop/cert/Makefile @@ -1,20 +1,17 @@ -# $OpenBSD: Makefile,v 1.13 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.14 2025/01/15 10:54:17 tb Exp $ # Connect a client to a server. Both can be current libressl, or -# openssl 1.1 or 3.0. Create client and server certificates +# openssl 3.x. Create client and server certificates # that are signed by a CA and not signed by a fake CA. Try all # combinations with, without, and with wrong CA for client and server # and check the result of certificate verification. LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 +.if exists(/usr/local/bin/eopenssl33) +LIBRARIES += openssl33 .endif -.if exists(/usr/local/bin/eopenssl31) -LIBRARIES += openssl31 -.endif -.if exists(/usr/local/bin/eopenssl32) -LIBRARIES += openssl32 +.if exists(/usr/local/bin/eopenssl34) +LIBRARIES += openssl34 .endif .for cca in noca ca fakeca diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile index bf4a1e28dc..fa7e25f9ee 100644 --- a/src/regress/lib/libssl/interop/cipher/Makefile +++ b/src/regress/lib/libssl/interop/cipher/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.16 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.17 2025/01/15 10:54:17 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or 3.0. Create lists of supported ciphers @@ -7,14 +7,11 @@ # have used correct cipher by grepping in their session print out. LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 +.if exists(/usr/local/bin/eopenssl33) +LIBRARIES += openssl33 .endif -.if exists(/usr/local/bin/eopenssl31) -LIBRARIES += openssl31 -.endif -.if exists(/usr/local/bin/eopenssl32) -LIBRARIES += openssl32 +.if exists(/usr/local/bin/eopenssl34) +LIBRARIES += openssl34 .endif CLEANFILES = *.tmp *.ciphers ciphers.mk @@ -44,9 +41,8 @@ client-${clib}-server-${slib}.ciphers: \ uniq -d <$@.tmp >$@ # we are only interested in ciphers supported by libressl sort $@ client-libressl.ciphers >$@.tmp -. if "${clib}" == "openssl11" || "${slib}" == "openssl11" || \ - "${clib}" == "openssl31" || "${slib}" == "openssl31" || \ - "${clib}" == "openssl32" || "${slib}" == "openssl32" +. if "${clib}" == "openssl33" || "${slib}" == "openssl33" || \ + "${clib}" == "openssl34" || "${slib}" == "openssl34" # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers sed -i '/^TLS_/d' $@.tmp . endif @@ -74,9 +70,8 @@ regress: ciphers.mk .endif LEVEL_libressl = -LEVEL_openssl11 = ,@SECLEVEL=0 -LEVEL_openssl31 = ,@SECLEVEL=0 -LEVEL_openssl32 = ,@SECLEVEL=0 +LEVEL_openssl33 = ,@SECLEVEL=0 +LEVEL_openssl34 = ,@SECLEVEL=0 .for clib in ${LIBRARIES} .for slib in ${LIBRARIES} @@ -137,7 +132,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \ . endif . if "${clib}" == "libressl" # libressl client may prefer chacha-poly if aes-ni is not supported -. if "${slib}" == "openssl11" || "${slib}" == "openssl31" || "${slib}" == "openssl32" +. if "${slib}" == "openssl33" || "${slib}" == "openssl34" egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out . else egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out diff --git a/src/regress/lib/libssl/interop/netcat/Makefile b/src/regress/lib/libssl/interop/netcat/Makefile index ee6fc7e103..3b8e3f95be 100644 --- a/src/regress/lib/libssl/interop/netcat/Makefile +++ b/src/regress/lib/libssl/interop/netcat/Makefile @@ -1,14 +1,11 @@ -# $OpenBSD: Makefile,v 1.9 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $ LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 +.if exists(/usr/local/bin/eopenssl33) +LIBRARIES += openssl33 .endif -.if exists(/usr/local/bin/eopenssl31) -LIBRARIES += openssl31 -.endif -.if exists(/usr/local/bin/eopenssl32) -LIBRARIES += openssl32 +.if exists(/usr/local/bin/eopenssl34) +LIBRARIES += openssl34 .endif # run netcat server and connect with test client diff --git a/src/regress/lib/libssl/interop/openssl11/Makefile b/src/regress/lib/libssl/interop/openssl11/Makefile deleted file mode 100644 index 27e7354925..0000000000 --- a/src/regress/lib/libssl/interop/openssl11/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# $OpenBSD: Makefile,v 1.8 2021/12/02 17:10:53 kn Exp $ - -.if ! exists(/usr/local/bin/eopenssl11) -regress: - # install openssl-1.1 from ports for interop tests - @echo 'Run "pkg_add openssl--%1.1" to run tests against OpenSSL 1.1' - @echo SKIPPED -.else - -PROGS = client server -CPPFLAGS = -I /usr/local/include/eopenssl11 -LDFLAGS = -L /usr/local/lib/eopenssl11 -LDADD = -lssl -lcrypto -DPADD = /usr/local/lib/eopenssl11/libssl.a \ - /usr/local/lib/eopenssl11/libcrypto.a -LD_LIBRARY_PATH = /usr/local/lib/eopenssl11 -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with OpenSSL 1.1 - grep -q /usr/local/lib/eopenssl11/libcrypto.so ldd-$p.out - grep -q /usr/local/lib/eopenssl11/libssl.so ldd-$p.out - # check that $p is not linked with LibreSSL - ! grep -v libc.so ldd-$p.out | grep /usr/lib/ - -run-version-$p: $p-self.out - # check that runtime version is OpenSSL 1.1 - grep 'SSLEAY_VERSION: OpenSSL 1.1' $p-self.out - -run-protocol-$p: $p-self.out - # check that OpenSSL 1.1 protocol version is TLS 1.3 - grep 'Protocol *: TLSv1.3' $p-self.out - -.endfor - -.endif # exists(/usr/local/bin/eopenssl11) - -.include diff --git a/src/regress/lib/libssl/interop/openssl31/Makefile b/src/regress/lib/libssl/interop/openssl31/Makefile deleted file mode 100644 index 8f35fa272f..0000000000 --- a/src/regress/lib/libssl/interop/openssl31/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# $OpenBSD: Makefile,v 1.1 2023/10/30 17:15:21 tb Exp $ - -.if !exists(/usr/local/bin/eopenssl31) -regress: - # install openssl-3.1 from ports for interop tests - @echo 'Run "pkg_add openssl--%3.1" to run tests against OpenSSL 3.1' - @echo SKIPPED -.else - -PROGS = client server -CPPFLAGS = -I /usr/local/include/eopenssl31 -LDFLAGS = -L /usr/local/lib/eopenssl31 -LDADD = -lssl -lcrypto -DPADD = /usr/local/lib/eopenssl31/libssl.a \ - /usr/local/lib/eopenssl31/libcrypto.a -LD_LIBRARY_PATH = /usr/local/lib/eopenssl31 -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with OpenSSL 3.1 - grep -q /usr/local/lib/eopenssl31/libcrypto.so ldd-$p.out - grep -q /usr/local/lib/eopenssl31/libssl.so ldd-$p.out - # check that $p is not linked with LibreSSL - ! grep -v libc.so ldd-$p.out | grep /usr/lib/ - -run-version-$p: $p-self.out - # check that runtime version is OpenSSL 3.1 - grep 'SSLEAY_VERSION: OpenSSL 3.1' $p-self.out - -run-protocol-$p: $p-self.out - # check that OpenSSL 3.1 protocol version is TLS 1.3 - grep 'Protocol *: TLSv1.3' $p-self.out - -.endfor - -.endif # exists(/usr/local/bin/eopenssl31) - -.include diff --git a/src/regress/lib/libssl/interop/openssl32/Makefile b/src/regress/lib/libssl/interop/openssl32/Makefile deleted file mode 100644 index 87255138ff..0000000000 --- a/src/regress/lib/libssl/interop/openssl32/Makefile +++ /dev/null @@ -1,44 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2024/10/22 16:31:10 tb Exp $ - -.if ! exists(/usr/local/bin/eopenssl32) -regress: - # install openssl-3.2 ports for interop tests - @echo 'Run "pkg_add openssl--%3.2" to run tests against OpenSSL 3.2' - @echo SKIPPED -.else - -PROGS = client server -CFLAGS += -DOPENSSL_SUPPRESS_DEPRECATED -CPPFLAGS = -I /usr/local/include/eopenssl32 -LDFLAGS = -L /usr/local/lib/eopenssl32 -LDADD = -lssl -lcrypto -DPADD = /usr/local/lib/eopenssl32/libssl.a \ - /usr/local/lib/eopenssl32/libcrypto.a -LD_LIBRARY_PATH = /usr/local/lib/eopenssl32 -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with OpenSSL 3.2 - grep -q /usr/local/lib/eopenssl32/libcrypto.so ldd-$p.out - grep -q /usr/local/lib/eopenssl32/libssl.so ldd-$p.out - # check that $p is not linked with LibreSSL - ! grep -v libc.so ldd-$p.out | grep /usr/lib/ - -run-version-$p: $p-self.out - # check that runtime version is OpenSSL 3.2 - grep 'SSLEAY_VERSION: OpenSSL 3.2' $p-self.out - -run-protocol-$p: $p-self.out - # check that OpenSSL 3.2 protocol version is TLS 1.3 - grep 'Protocol *: TLSv1.3' $p-self.out - -.endfor - -.endif # exists(/usr/local/bin/eopenssl32) - -.include diff --git a/src/regress/lib/libssl/interop/openssl33/Makefile b/src/regress/lib/libssl/interop/openssl33/Makefile new file mode 100644 index 0000000000..eff61704d0 --- /dev/null +++ b/src/regress/lib/libssl/interop/openssl33/Makefile @@ -0,0 +1,44 @@ +# $OpenBSD: Makefile,v 1.1 2025/01/15 10:54:17 tb Exp $ + +.if ! exists(/usr/local/bin/eopenssl33) +regress: + # install openssl-3.3 from ports for interop tests + @echo 'Run "pkg_add openssl--%3.3" to run tests against OpenSSL 3.3' + @echo SKIPPED +.else + +PROGS = client server +CFLAGS += -DOPENSSL_SUPPRESS_DEPRECATED +CPPFLAGS = -I /usr/local/include/eopenssl33 +LDFLAGS = -L /usr/local/lib/eopenssl33 +LDADD = -lssl -lcrypto +DPADD = /usr/local/lib/eopenssl33/libssl.a \ + /usr/local/lib/eopenssl33/libcrypto.a +LD_LIBRARY_PATH = /usr/local/lib/eopenssl33 +REGRESS_TARGETS = run-self-client-server +.for p in ${PROGS} +REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p +.endfor + +.for p in ${PROGS} + +run-ldd-$p: ldd-$p.out + # check that $p is linked with OpenSSL 3.3 + grep -q /usr/local/lib/eopenssl33/libcrypto.so ldd-$p.out + grep -q /usr/local/lib/eopenssl33/libssl.so ldd-$p.out + # check that $p is not linked with LibreSSL + ! grep -v libc.so ldd-$p.out | grep /usr/lib/ + +run-version-$p: $p-self.out + # check that runtime version is OpenSSL 3.3 + grep 'SSLEAY_VERSION: OpenSSL 3.3' $p-self.out + +run-protocol-$p: $p-self.out + # check that OpenSSL 3.3 protocol version is TLS 1.3 + grep 'Protocol *: TLSv1.3' $p-self.out + +.endfor + +.endif # exists(/usr/local/bin/eopenssl33) + +.include diff --git a/src/regress/lib/libssl/interop/openssl34/Makefile b/src/regress/lib/libssl/interop/openssl34/Makefile new file mode 100644 index 0000000000..72246bb621 --- /dev/null +++ b/src/regress/lib/libssl/interop/openssl34/Makefile @@ -0,0 +1,44 @@ +# $OpenBSD: Makefile,v 1.1 2025/01/15 10:54:17 tb Exp $ + +.if ! exists(/usr/local/bin/eopenssl34) +regress: + # install openssl-3.4 from ports for interop tests + @echo 'Run "pkg_add openssl--%3.4" to run tests against OpenSSL 3.4' + @echo SKIPPED +.else + +PROGS = client server +CFLAGS += -DOPENSSL_SUPPRESS_DEPRECATED +CPPFLAGS = -I /usr/local/include/eopenssl34 +LDFLAGS = -L /usr/local/lib/eopenssl34 +LDADD = -lssl -lcrypto +DPADD = /usr/local/lib/eopenssl34/libssl.a \ + /usr/local/lib/eopenssl34/libcrypto.a +LD_LIBRARY_PATH = /usr/local/lib/eopenssl34 +REGRESS_TARGETS = run-self-client-server +.for p in ${PROGS} +REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p +.endfor + +.for p in ${PROGS} + +run-ldd-$p: ldd-$p.out + # check that $p is linked with OpenSSL 3.4 + grep -q /usr/local/lib/eopenssl34/libcrypto.so ldd-$p.out + grep -q /usr/local/lib/eopenssl34/libssl.so ldd-$p.out + # check that $p is not linked with LibreSSL + ! grep -v libc.so ldd-$p.out | grep /usr/lib/ + +run-version-$p: $p-self.out + # check that runtime version is OpenSSL 3.4 + grep 'SSLEAY_VERSION: OpenSSL 3.4' $p-self.out + +run-protocol-$p: $p-self.out + # check that OpenSSL 3.4 protocol version is TLS 1.3 + grep 'Protocol *: TLSv1.3' $p-self.out + +.endfor + +.endif # exists(/usr/local/bin/eopenssl34) + +.include diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile index ab6503c97f..e9a353f99e 100644 --- a/src/regress/lib/libssl/interop/session/Makefile +++ b/src/regress/lib/libssl/interop/session/Makefile @@ -1,20 +1,14 @@ -# $OpenBSD: Makefile,v 1.11 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.12 2025/01/15 10:54:17 tb Exp $ LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 +.if exists(/usr/local/bin/eopenssl33) +#LIBRARIES += openssl33 .endif -.if exists(/usr/local/bin/eopenssl31) -#LIBRARIES += openssl31 -.endif -.if exists(/usr/local/bin/eopenssl32) -#LIBRARIES += openssl32 +.if exists(/usr/local/bin/eopenssl34) +#LIBRARIES += openssl34 .endif -run-session-client-libressl-server-libressl \ -run-session-client-libressl-server-openssl11 \ -run-session-client-openssl11-server-libressl \ -run-session-client-openssl11-server-openssl11: +run-session-client-libressl-server-libressl: # TLS 1.3 needs some extra setup for session reuse @echo DISABLED diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile index aa5883fa2d..605fba252f 100644 --- a/src/regress/lib/libssl/interop/version/Makefile +++ b/src/regress/lib/libssl/interop/version/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.9 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS @@ -7,11 +7,11 @@ # print out. LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 +.if exists(/usr/local/bin/eopenssl33) +LIBRARIES += openssl33 .endif -.if exists(/usr/local/bin/eopenssl31) -LIBRARIES += openssl31 +.if exists(/usr/local/bin/eopenssl34) +LIBRARIES += openssl34 .endif VERSIONS = any TLS1_2 TLS1_3 @@ -29,7 +29,8 @@ FAIL_${cver}_${sver} = ! .for slib in ${LIBRARIES} .if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \ - ((("${clib}" != openssl31 && "${slib}" != openssl31)) || \ + ((("${clib}" != openssl33 && "${slib}" != openssl33)) || \ + (("${clib}" != openssl34 && "${slib}" != openssl34)) || \ (("${cver}" != any && "${sver}" != any) && \ ("${cver}" != TLS1 && "${sver}" != TLS1) && \ ("${cver}" != TLS1_1 && "${sver}" != TLS1_1))) -- cgit v1.2.3-55-g6feb