From bc08093d61a7c129c8e10c0201e9f3ab3167593f Mon Sep 17 00:00:00 2001 From: tb <> Date: Mon, 30 Oct 2023 17:15:21 +0000 Subject: Add support for OpenSSL 3.1 interop tests Until OpenSSL 3.1 has replaced OpenSSL 3.0 on most architectures, run both tests. Installed packages of OpenSSL 3.0 will update automatically to 3.1, so regress runners should not need to do anything. --- src/regress/lib/libssl/interop/Makefile | 4 +-- src/regress/lib/libssl/interop/botan/Makefile | 5 ++- src/regress/lib/libssl/interop/cert/Makefile | 5 ++- src/regress/lib/libssl/interop/cipher/Makefile | 10 ++++-- src/regress/lib/libssl/interop/netcat/Makefile | 5 ++- src/regress/lib/libssl/interop/openssl31/Makefile | 43 +++++++++++++++++++++++ src/regress/lib/libssl/interop/session/Makefile | 5 ++- src/regress/lib/libssl/interop/version/Makefile | 8 +++-- 8 files changed, 74 insertions(+), 11 deletions(-) create mode 100644 src/regress/lib/libssl/interop/openssl31/Makefile diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile index 72dc87b5c2..82bef2314d 100644 --- a/src/regress/lib/libssl/interop/Makefile +++ b/src/regress/lib/libssl/interop/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.17 2023/02/01 14:39:09 tb Exp $ +# $OpenBSD: Makefile,v 1.18 2023/10/30 17:15:21 tb Exp $ -SUBDIR = libressl openssl11 openssl30 +SUBDIR = libressl openssl11 openssl30 openssl31 # the above binaries must have been built before we can continue SUBDIR += netcat diff --git a/src/regress/lib/libssl/interop/botan/Makefile b/src/regress/lib/libssl/interop/botan/Makefile index 23f8a07bf4..b9570b815a 100644 --- a/src/regress/lib/libssl/interop/botan/Makefile +++ b/src/regress/lib/libssl/interop/botan/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.6 2023/02/01 15:58:20 tb Exp $ +# $OpenBSD: Makefile,v 1.7 2023/10/30 17:15:21 tb Exp $ .include @@ -26,6 +26,9 @@ LIBRARIES += openssl11 .if exists(/usr/local/bin/eopenssl30) LIBRARIES += openssl30 .endif +.if exists(/usr/local/bin/eopenssl31) +LIBRARIES += openssl31 +.endif PROGS = client SRCS_client = client.cpp diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile index 47f4422d6e..ae755be223 100644 --- a/src/regress/lib/libssl/interop/cert/Makefile +++ b/src/regress/lib/libssl/interop/cert/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.10 2023/04/19 15:34:23 tb Exp $ +# $OpenBSD: Makefile,v 1.11 2023/10/30 17:15:21 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or 3.0. Create client and server certificates @@ -13,6 +13,9 @@ LIBRARIES += openssl11 .if exists(/usr/local/bin/eopenssl30) LIBRARIES += openssl30 .endif +.if exists(/usr/local/bin/eopenssl31) +LIBRARIES += openssl31 +.endif .for cca in noca ca fakeca .for sca in noca ca fakeca diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile index 85d927a92d..627cfc8f9f 100644 --- a/src/regress/lib/libssl/interop/cipher/Makefile +++ b/src/regress/lib/libssl/interop/cipher/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.12 2023/04/19 15:34:23 tb Exp $ +# $OpenBSD: Makefile,v 1.13 2023/10/30 17:15:21 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or 3.0. Create lists of supported ciphers @@ -24,6 +24,9 @@ LIBRARIES += openssl11 .if exists(/usr/local/bin/eopenssl30) LIBRARIES += openssl30 .endif +.if exists(/usr/local/bin/eopenssl31) +LIBRARIES += openssl31 +.endif CLEANFILES = *.tmp *.ciphers ciphers.mk @@ -53,7 +56,8 @@ client-${clib}-server-${slib}.ciphers: \ # we are only interested in ciphers supported by libressl sort $@ client-libressl.ciphers >$@.tmp . if "${clib}" == "openssl11" || "${slib}" == "openssl11" || \ - "${clib}" == "openssl30" || "${slib}" == "openssl30" + "${clib}" == "openssl30" || "${slib}" == "openssl30" || \ + "${clib}" == "openssl31" || "${slib}" == "openssl31" # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers sed -i '/^TLS_/d' $@.tmp . endif @@ -145,7 +149,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \ . endif . if "${clib}" == "libressl" # libressl client may prefer chacha-poly if aes-ni is not supported -. if "${slib}" == "openssl11" || "${slib}" == "openssl30" +. if "${slib}" == "openssl11" || "${slib}" == "openssl30" || "${slib}" == "openssl31" egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out . else egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out diff --git a/src/regress/lib/libssl/interop/netcat/Makefile b/src/regress/lib/libssl/interop/netcat/Makefile index 9cf10417af..568c4d255a 100644 --- a/src/regress/lib/libssl/interop/netcat/Makefile +++ b/src/regress/lib/libssl/interop/netcat/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.6 2023/02/01 15:38:57 tb Exp $ +# $OpenBSD: Makefile,v 1.7 2023/10/30 17:15:21 tb Exp $ LIBRARIES = libressl .if exists(/usr/local/bin/eopenssl11) @@ -7,6 +7,9 @@ LIBRARIES += openssl11 .if exists(/usr/local/bin/eopenssl30) LIBRARIES += openssl30 .endif +.if exists(/usr/local/bin/eopenssl31) +LIBRARIES += openssl31 +.endif # run netcat server and connect with test client diff --git a/src/regress/lib/libssl/interop/openssl31/Makefile b/src/regress/lib/libssl/interop/openssl31/Makefile new file mode 100644 index 0000000000..8f35fa272f --- /dev/null +++ b/src/regress/lib/libssl/interop/openssl31/Makefile @@ -0,0 +1,43 @@ +# $OpenBSD: Makefile,v 1.1 2023/10/30 17:15:21 tb Exp $ + +.if !exists(/usr/local/bin/eopenssl31) +regress: + # install openssl-3.1 from ports for interop tests + @echo 'Run "pkg_add openssl--%3.1" to run tests against OpenSSL 3.1' + @echo SKIPPED +.else + +PROGS = client server +CPPFLAGS = -I /usr/local/include/eopenssl31 +LDFLAGS = -L /usr/local/lib/eopenssl31 +LDADD = -lssl -lcrypto +DPADD = /usr/local/lib/eopenssl31/libssl.a \ + /usr/local/lib/eopenssl31/libcrypto.a +LD_LIBRARY_PATH = /usr/local/lib/eopenssl31 +REGRESS_TARGETS = run-self-client-server +.for p in ${PROGS} +REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p +.endfor + +.for p in ${PROGS} + +run-ldd-$p: ldd-$p.out + # check that $p is linked with OpenSSL 3.1 + grep -q /usr/local/lib/eopenssl31/libcrypto.so ldd-$p.out + grep -q /usr/local/lib/eopenssl31/libssl.so ldd-$p.out + # check that $p is not linked with LibreSSL + ! grep -v libc.so ldd-$p.out | grep /usr/lib/ + +run-version-$p: $p-self.out + # check that runtime version is OpenSSL 3.1 + grep 'SSLEAY_VERSION: OpenSSL 3.1' $p-self.out + +run-protocol-$p: $p-self.out + # check that OpenSSL 3.1 protocol version is TLS 1.3 + grep 'Protocol *: TLSv1.3' $p-self.out + +.endfor + +.endif # exists(/usr/local/bin/eopenssl31) + +.include diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile index f5858eaba0..99daa4ba4f 100644 --- a/src/regress/lib/libssl/interop/session/Makefile +++ b/src/regress/lib/libssl/interop/session/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.8 2023/02/01 16:03:47 tb Exp $ +# $OpenBSD: Makefile,v 1.9 2023/10/30 17:15:21 tb Exp $ LIBRARIES = libressl .if exists(/usr/local/bin/eopenssl11) @@ -7,6 +7,9 @@ LIBRARIES += openssl11 .if exists(/usr/local/bin/eopenssl30) #LIBRARIES += openssl30 .endif +.if exists(/usr/local/bin/eopenssl31) +#LIBRARIES += openssl31 +.endif run-session-client-libressl-server-libressl \ run-session-client-libressl-server-openssl11 \ diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile index c4f7705d63..bb4641afa9 100644 --- a/src/regress/lib/libssl/interop/version/Makefile +++ b/src/regress/lib/libssl/interop/version/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.7 2023/07/02 17:21:32 beck Exp $ +# $OpenBSD: Makefile,v 1.8 2023/10/30 17:15:21 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS @@ -13,6 +13,9 @@ LIBRARIES += openssl11 .if exists(/usr/local/bin/eopenssl30) LIBRARIES += openssl30 .endif +.if exists(/usr/local/bin/eopenssl31) +LIBRARIES += openssl31 +.endif VERSIONS = any TLS1_2 TLS1_3 @@ -29,7 +32,8 @@ FAIL_${cver}_${sver} = ! .for slib in ${LIBRARIES} .if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \ - (("${clib}" != openssl30 && "${slib}" != openssl30) || \ + ((("${clib}" != openssl30 && "${slib}" != openssl30) && \ + ("${clib}" != openssl31 && "${slib}" != openssl31)) || \ (("${cver}" != any && "${sver}" != any) && \ ("${cver}" != TLS1 && "${sver}" != TLS1) && \ ("${cver}" != TLS1_1 && "${sver}" != TLS1_1))) -- cgit v1.2.3-55-g6feb