From 4e4f5b4c833ba5285e001bdb6b832bdf91c43da3 Mon Sep 17 00:00:00 2001 From: cvs2svn Date: Mon, 30 Aug 2021 17:27:46 +0000 Subject: This commit was manufactured by cvs2git to create tag 'tb_20210830'. --- src/regress/lib/libssl/interop/LICENSE | 15 - src/regress/lib/libssl/interop/Makefile | 19 -- src/regress/lib/libssl/interop/Makefile.inc | 90 ------ src/regress/lib/libssl/interop/README | 22 -- src/regress/lib/libssl/interop/botan/Makefile | 82 ------ src/regress/lib/libssl/interop/botan/client.cpp | 228 --------------- src/regress/lib/libssl/interop/cert/Makefile | 87 ------ src/regress/lib/libssl/interop/cipher/Makefile | 170 ------------ src/regress/lib/libssl/interop/client.c | 273 ------------------ src/regress/lib/libssl/interop/libressl/Makefile | 34 --- src/regress/lib/libssl/interop/netcat/Makefile | 84 ------ src/regress/lib/libssl/interop/openssl/Makefile | 42 --- src/regress/lib/libssl/interop/openssl11/Makefile | 42 --- src/regress/lib/libssl/interop/server.c | 320 ---------------------- src/regress/lib/libssl/interop/session/Makefile | 46 ---- src/regress/lib/libssl/interop/util.c | 145 ---------- src/regress/lib/libssl/interop/util.h | 23 -- src/regress/lib/libssl/interop/version/Makefile | 103 ------- 18 files changed, 1825 deletions(-) delete mode 100644 src/regress/lib/libssl/interop/LICENSE delete mode 100644 src/regress/lib/libssl/interop/Makefile delete mode 100644 src/regress/lib/libssl/interop/Makefile.inc delete mode 100644 src/regress/lib/libssl/interop/README delete mode 100644 src/regress/lib/libssl/interop/botan/Makefile delete mode 100644 src/regress/lib/libssl/interop/botan/client.cpp delete mode 100644 src/regress/lib/libssl/interop/cert/Makefile delete mode 100644 src/regress/lib/libssl/interop/cipher/Makefile delete mode 100644 src/regress/lib/libssl/interop/client.c delete mode 100644 src/regress/lib/libssl/interop/libressl/Makefile delete mode 100644 src/regress/lib/libssl/interop/netcat/Makefile delete mode 100644 src/regress/lib/libssl/interop/openssl/Makefile delete mode 100644 src/regress/lib/libssl/interop/openssl11/Makefile delete mode 100644 src/regress/lib/libssl/interop/server.c delete mode 100644 src/regress/lib/libssl/interop/session/Makefile delete mode 100644 src/regress/lib/libssl/interop/util.c delete mode 100644 src/regress/lib/libssl/interop/util.h delete mode 100644 src/regress/lib/libssl/interop/version/Makefile (limited to 'src/regress/lib/libssl/interop') diff --git a/src/regress/lib/libssl/interop/LICENSE b/src/regress/lib/libssl/interop/LICENSE deleted file mode 100644 index 838e7f45cc..0000000000 --- a/src/regress/lib/libssl/interop/LICENSE +++ /dev/null @@ -1,15 +0,0 @@ -/* - * Copyright (c) 2018-2019 Alexander Bluhm - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile deleted file mode 100644 index aa9c3adf56..0000000000 --- a/src/regress/lib/libssl/interop/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -# $OpenBSD: Makefile,v 1.13 2020/09/21 15:13:24 beck Exp $ - -SUBDIR = libressl openssl openssl11 - -# the above binaries must have been built before we can continue -SUBDIR += netcat -SUBDIR += session -SUBDIR += botan - -# What is below takes a long time. -# setting REGRESS_SKIP_SLOW to "yes" in mk.conf -# will skip the tests that do not test libressl -# but do things like test openssl to openssl11 -SUBDIR += version -SUBDIR += cipher -# This takes a really long time. -SUBDIR += cert - -.include diff --git a/src/regress/lib/libssl/interop/Makefile.inc b/src/regress/lib/libssl/interop/Makefile.inc deleted file mode 100644 index ed5fe26147..0000000000 --- a/src/regress/lib/libssl/interop/Makefile.inc +++ /dev/null @@ -1,90 +0,0 @@ -# $OpenBSD: Makefile.inc,v 1.8 2020/12/17 00:51:11 bluhm Exp $ - -.PATH: ${.CURDIR}/.. - -SRCS_client ?= client.c util.c -SRCS_server ?= server.c util.c -WARNINGS = yes -CLEANFILES += *.out *.fstat - -.for p in ${PROGS} -ldd-$p.out: $p - # programs must be linked with correct libraries - LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ldd $p >$@ -.endfor - -client-self.out server-self.out: run-self-client-server - -run-self-client-server: client server 127.0.0.1.crt - # check that tls client and server work together - LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \ - ./server >server-self.out \ - 127.0.0.1 0 - LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \ - ./client >client-self.out \ - `sed -n 's/listen sock: //p' server-self.out` - # check that the client run successfully to the end - grep -q '^success$$' client-self.out - # client must have read server greeting - grep -q '^<<< greeting$$' client-self.out - # check that the server child run successfully to the end - grep -q '^success$$' server-self.out - # server must have read client hello - grep -q '^<<< hello$$' server-self.out - -# create certificates for TLS - -CLEANFILES += 127.0.0.1.{crt,key} \ - ca.{crt,key,srl} fake-ca.{crt,key} \ - {client,server}.{req,crt,key} \ - {dsa,ec,gost,rsa}.{key,req,crt} \ - dh.param - -127.0.0.1.crt: - openssl req -batch -new \ - -subj /L=OpenBSD/O=tls-regress/OU=server/CN=${@:R}/ \ - -nodes -newkey rsa -keyout ${@:R}.key -x509 -out $@ - -ca.crt fake-ca.crt: - openssl req -batch -new \ - -subj /L=OpenBSD/O=tls-regress/OU=ca/CN=root/ \ - -nodes -newkey rsa -keyout ${@:R}.key -x509 -out $@ - -client.req server.req: - openssl req -batch -new \ - -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \ - -nodes -newkey rsa -keyout ${@:R}.key -out $@ - -client.crt server.crt: ca.crt ${@:R}.req - openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \ - -req -in ${@:R}.req -out $@ - -dh.param: - openssl dhparam -out $@ 1024 - -dsa.key: - openssl dsaparam -genkey -out $@ 2048 - -ec.key: - openssl ecparam -genkey -name secp256r1 -out $@ - -gost.key: - openssl genpkey -algorithm gost2001 \ - -pkeyopt paramset:A -pkeyopt dgst:md_gost94 -out $@ - -rsa.key: - openssl genrsa -out $@ 2048 - -dsa.req ec.req rsa.req: ${@:R}.key - openssl req -batch -new \ - -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \ - -nodes -key ${@:R}.key -out $@ - -gost.req: ${@:R}.key - openssl req -batch -new -md_gost94 \ - -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \ - -nodes -key ${@:R}.key -out $@ - -dsa.crt ec.crt gost.crt rsa.crt: ca.crt ${@:R}.req - openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \ - -req -in ${@:R}.req -out $@ diff --git a/src/regress/lib/libssl/interop/README b/src/regress/lib/libssl/interop/README deleted file mode 100644 index 54910e554d..0000000000 --- a/src/regress/lib/libssl/interop/README +++ /dev/null @@ -1,22 +0,0 @@ -Test TLS interoperability between LibreSSL and OpenSSL. - -Implement simple SSL client and server in C. Create six binaries -by linking them with LibreSSL or OpenSSL 1.0.2 or OpenSSL 1.1. This -way API compatibility is tested. - -To self test each SSL library, connect client with server. Check -that the highest available TLS version is selected. LibreSSL TLS -1.3 check has to be enabled when the feature becomes available. - -Currently OpenSSL 1.0.2p and OpenSSL 1.1.1 from ports are used. As -soon as LibreSSL supports TLS 1.3, it should be used automatically -when netcat is communicating with OpenSSL 1.1. - -Connect and accept with netcat to test protocol compatibility with -libtls. Test TLS session reuse multiple times with different library -combinations. The cert subdir is testing all combinations of -certificate validation. Having the three libraries, client and -server certificates, missing or invalid CA or certificates, and -enforcing peer certificate results in 1944 test cases. The cipher -test establishes connections between implementations for each -supported cipher. diff --git a/src/regress/lib/libssl/interop/botan/Makefile b/src/regress/lib/libssl/interop/botan/Makefile deleted file mode 100644 index a162ee9e17..0000000000 --- a/src/regress/lib/libssl/interop/botan/Makefile +++ /dev/null @@ -1,82 +0,0 @@ -# $OpenBSD: Makefile,v 1.4 2020/12/17 00:51:11 bluhm Exp $ - -.include - -.if ! exists(/usr/local/bin/botan) -regress: - # install botan2 from ports for interop tests - @echo SKIPPED -.elif (${COMPILER_VERSION:L} != "clang" && ! exists(/usr/local/bin/eg++)) -regress: - # on gcc-archs install g++ from ports for botan2 interop tests - @echo SKIPPED -.else - -# C++11 -.if ${COMPILER_VERSION:L} != "clang" && ${CXX} == "c++" -CXX = /usr/local/bin/eg++ -.endif - -LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl) -LIBRARIES += openssl -.endif -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 -.endif - -PROGS = client -SRCS_client = client.cpp -CXXFLAGS = -I/usr/local/include/botan-2 -Wall -LDFLAGS = -L/usr/local/lib -LDADD = -lbotan-2 -DPADD = /usr/local/lib/libbotan-2.a - -.for lib in ${LIBRARIES} - -REGRESS_TARGETS += run-client-botan-server-${lib} - -run-client-botan-server-${lib}: client server.crt - LD_LIBRARY_PATH=/usr/local/lib/e${lib} \ - ../${lib}/server >server-${lib}.out \ - -c server.crt -k server.key \ - 127.0.0.1 0 - ./client >client-botan.out \ - -C ca.crt \ - 127.0.0.1 \ - `sed -n 's/listen sock: 127.0.0.1 //p' server-${lib}.out` - # check that the server child run successfully to the end - grep -q '^success$$' server-${lib}.out || \ - { sleep 1; grep -q '^success$$' server-${lib}.out; } - # server must have read client hello - grep -q '^<<< hello$$' server-${lib}.out - # check that the client run successfully to the end - grep -q '^success$$' client-botan.out - # client must have read server greeting - grep -q '^<<< greeting$$' client-botan.out - # currently botan supports TLS 1.2, adapt later - grep -q ' Protocol *: TLSv1.2$$' server-${lib}.out - -.endfor - -server.key ca.key: - /usr/local/bin/botan keygen >$@.tmp - mv $@.tmp $@ - -ca.crt: ${@:R}.key - /usr/local/bin/botan gen_self_signed ${@:R}.key ${@:R} >$@.tmp \ - --organization=tls-regress --ca - mv $@.tmp $@ - -server.req: ${@:R}.key - /usr/local/bin/botan gen_pkcs10 ${@:R}.key localhost >$@.tmp \ - --organization=tls-regress --dns=127.0.0.1 - mv $@.tmp $@ - -server.crt: ca.crt ${@:R}.req - /usr/local/bin/botan sign_cert ca.crt ca.key ${@:R}.req >$@.tmp - mv $@.tmp $@ - -.endif # exists(/usr/local/bin/botan) - -.include diff --git a/src/regress/lib/libssl/interop/botan/client.cpp b/src/regress/lib/libssl/interop/botan/client.cpp deleted file mode 100644 index 2352d7bba2..0000000000 --- a/src/regress/lib/libssl/interop/botan/client.cpp +++ /dev/null @@ -1,228 +0,0 @@ -/* $OpenBSD: client.cpp,v 1.1 2020/09/15 01:45:16 bluhm Exp $ */ -/* - * Copyright (c) 2019-2020 Alexander Bluhm - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -#include -#include -using namespace std; - -class Callbacks : public Botan::TLS::Callbacks { -public: - Callbacks(int socket) : - m_socket(socket) - {} - - void print_sockname() - { - struct sockaddr_storage ss; - char host[NI_MAXHOST], port[NI_MAXSERV]; - socklen_t slen; - - slen = sizeof(ss); - if (getsockname(m_socket, (struct sockaddr *)&ss, &slen) == -1) - err(1, "getsockname"); - if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host, - sizeof(host), port, sizeof(port), - NI_NUMERICHOST | NI_NUMERICSERV)) - errx(1, "getnameinfo"); - cout <<"sock: " < 0) { - ssize_t n; - - n = send(m_socket, data + off, len, 0); - if (n < 0) - err(1, "send"); - off += n; - len -= n; - } - } - - void tls_record_received(uint64_t seq_no, const uint8_t data[], - size_t size) override - { - cout <<"<<< " <>> " <send(str); - m_channel->close(); - } - - void tls_alert(Botan::TLS::Alert alert) override - { - errx(1, "alert: %s", alert.type_string().c_str()); - } - - bool tls_session_established(const Botan::TLS::Session& session) - override - { - cout <<"established" < trusted_certificate_authorities( - const std::string &type, const std::string &context) - override - { - std::vector cs { &m_ca }; - return cs; - } - - void add_certificate_file(const std::string &file) { - Botan::X509_Certificate cert(file); - m_ca.add_certificate(cert); - } -private: - Botan::Certificate_Store_In_Memory m_ca; -}; - -class Policy : public Botan::TLS::Strict_Policy { -public: - bool require_cert_revocation_info() const override { - return false; - } -}; - -void __dead -usage(void) -{ - fprintf(stderr, "usage: client [-C CA] host port\n"); - exit(2); -} - -int -main(int argc, char *argv[]) -{ - struct addrinfo hints, *res; - int ch, s, error; - char buf[256]; - char *cafile = NULL; - char *host, *port; - - while ((ch = getopt(argc, argv, "C:")) != -1) { - switch (ch) { - case 'C': - cafile = optarg; - break; - default: - usage(); - } - } - argc -= optind; - argv += optind; - if (argc == 2) { - host = argv[0]; - port = argv[1]; - } else { - usage(); - } - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_INET; - hints.ai_socktype = SOCK_STREAM; - error = getaddrinfo(host, port, &hints, &res); - if (error) - errx(1, "getaddrinfo: %s", gai_strerror(error)); - if (res == NULL) - errx(1, "getaddrinfo empty"); - s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); - if (s == -1) - err(1, "socket"); - if (connect(s, res->ai_addr, res->ai_addrlen) == -1) - err(1, "connect"); - freeaddrinfo(res); - - { - Callbacks callbacks(s); - Botan::AutoSeeded_RNG rng; - Botan::TLS::Session_Manager_In_Memory session_mgr(rng); - Credentials creds; - if (cafile != NULL) - creds.add_certificate_file(cafile); - Policy policy; - - callbacks.print_sockname(); - callbacks.print_peername(); - Botan::TLS::Client client(callbacks, session_mgr, creds, - policy, rng); - callbacks.set_channel(client); - - while (!client.is_closed()) { - ssize_t n; - - n = recv(s, buf, sizeof(buf), 0); - if (n < 0) - err(1, "recv"); - if (n == 0) - errx(1, "eof"); - client.received_data((uint8_t *)&buf, n); - } - } - - if (close(s) == -1) - err(1, "close"); - - cout <<"success" <${@:S/^run/server/}.out \ - ${sca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \ - ${scert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \ - ${sv:S/^noverify//:S/^verify/-v/:S/^certverify/-vv/} \ - 127.0.0.1 0 - ${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}} \ - LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ - ../${clib}/client >${@:S/^run/client/}.out \ - ${cca:S/^noca//:S/^fakeca/-C fake-ca.crt/:S/^ca/-C ca.crt/} \ - ${ccert:S/^nocert//:S/^cert/-c server.crt -k server.key/} \ - ${cv:S/^noverify//:S/^verify/-v/} \ - `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out` -.if empty(${FAIL_${cca}_${sca}_${ccert}_${scert}_${cv}_${sv}}) - grep '^success$$' ${@:S/^run/server/}.out || \ - { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; } - grep '^success$$' ${@:S/^run/client/}.out -.elif ! ("${sv}" == certverify && "${ccert}" == nocert) || \ - ("${cv}" == verify && "${scert}" != cert) - grep '^verify: fail' ${@:S/^run/client/}.out ${@:S/^run/server/}.out -.endif - -.endfor -.endfor -.endfor -.endfor -.endfor -.endfor -.endfor -.endfor - -# argument list too long for a single rm * - -clean: _SUBDIRUSE - rm -f client-*.out - rm -f server-*.out - rm -f a.out [Ee]rrs mklog *.core y.tab.h \ - ${PROG} ${PROGS} ${OBJS} ${_LEXINTM} ${_YACCINTM} ${CLEANFILES} - -.include diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile deleted file mode 100644 index c88309962d..0000000000 --- a/src/regress/lib/libssl/interop/cipher/Makefile +++ /dev/null @@ -1,170 +0,0 @@ -# $OpenBSD: Makefile,v 1.7 2020/12/17 00:51:11 bluhm Exp $ - -# Connect a client to a server. Both can be current libressl, or -# openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers -# and pin client and server to one of the ciphers. Use server -# certificate with compatible type. Check that client and server -# have used correct cipher by grepping in their session print out. - -run-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl \ -run-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl \ -client-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl.out \ -client-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl.out \ -server-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl.out \ -server-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl.out \ -check-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl \ -check-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl: - # gost does not work with libressl TLS 1.3 right now - @echo DISABLED - -LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl) -LIBRARIES += openssl -.endif -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 -.endif - -CLEANFILES = *.tmp *.ciphers ciphers.mk - -.for clib in ${LIBRARIES} -client-${clib}.ciphers: - LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ - ../${clib}/client -l ALL -L >$@.tmp - sed -n 's/^cipher //p' <$@.tmp | sort -u >$@ - rm $@.tmp -.endfor -.for slib in ${LIBRARIES} -server-${slib}.ciphers: 127.0.0.1.crt dsa.crt ec.crt rsa.crt - LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ - ../${slib}/server -l ALL -L >$@.tmp - sed -n 's/^cipher //p' <$@.tmp | sort -u >$@ - rm $@.tmp -.endfor - -.for clib in ${LIBRARIES} -.for slib in ${LIBRARIES} -ciphers.mk: client-${clib}-server-${slib}.ciphers -client-${clib}-server-${slib}.ciphers: \ - client-${clib}.ciphers server-${slib}.ciphers client-libressl.ciphers - # get ciphers shared between client and server - sort client-${clib}.ciphers server-${slib}.ciphers >$@.tmp - uniq -d <$@.tmp >$@ - # we are only interested in ciphers supported by libressl - sort $@ client-libressl.ciphers >$@.tmp - uniq -d <$@.tmp >$@ - rm $@.tmp -.endfor -.endfor - -ciphers.mk: - rm -f $@ $@.tmp -.for clib in ${LIBRARIES} -.for slib in ${LIBRARIES} - echo 'CIPHERS_${clib}_${slib} =' >>$@.tmp \ - `cat client-${clib}-server-${slib}.ciphers` -.endfor -.endfor - mv $@.tmp $@ - -# hack to convert generated lists into usable make variables -.if exists(ciphers.mk) -.include "ciphers.mk" -.else -regress: ciphers.mk - ${MAKE} -C ${.CURDIR} regress -.endif - -LEVEL_libressl = -LEVEL_openssl = -LEVEL_openssl11 = ,@SECLEVEL=0 - -.for clib in ${LIBRARIES} -.for slib in ${LIBRARIES} -.for cipher in ${CIPHERS_${clib}_${slib}} - -.if "${cipher:M*-DSS-*}" != "" -TYPE_${cipher} = dsa -.elif "${cipher:M*-ECDSA-*}" != "" -TYPE_${cipher} = ec -.elif "${cipher:M*-GOST89-*}" != "" -TYPE_${cipher} = gost -.elif "${cipher:M*-RSA-*}" != "" -TYPE_${cipher} = rsa -.else -TYPE_${cipher} = 127.0.0.1 -.endif - -.if "${slib}" == "openssl" && \ - "${cipher:MADH-*}${cipher:MEDH-*}${cipher:MDHE-*}" != "" -DHPARAM_${cipher}_${slib} = -p dh.param -.else -DHPARAM_${cipher}_${slib} = -.endif - -.if ("${clib}" == "libressl" || "${slib}" == "libressl") -REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib} -.else -REGRESS_SLOW_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib} -.endif -run-cipher-${cipher}-client-${clib}-server-${slib} \ -client-cipher-${cipher}-client-${clib}-server-${slib}.out \ -server-cipher-${cipher}-client-${clib}-server-${slib}.out: dh.param \ - 127.0.0.1.crt ${TYPE_${cipher}}.crt ../${clib}/client ../${slib}/server - LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ - ../${slib}/server >${@:S/^run/server/}.out \ - -c ${TYPE_${cipher}}.crt -k ${TYPE_${cipher}}.key \ - -l ${cipher}${LEVEL_${slib}} ${DHPARAM_${cipher}_${slib}} \ - 127.0.0.1 0 - LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ - ../${clib}/client >${@:S/^run/client/}.out \ - -l ${cipher}${LEVEL_${clib}} \ - `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out` - grep -q '^success$$' ${@:S/^run/server/}.out || \ - { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; } - grep -q '^success$$' ${@:S/^run/client/}.out - -.if ("${clib}" == "libressl" || "${slib}" == "libressl") -REGRESS_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib} -.else -REGRESS_SLOW_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib} -.endif -check-cipher-${cipher}-client-${clib}-server-${slib}: \ - client-cipher-${cipher}-client-${clib}-server-${slib}.out \ - server-cipher-${cipher}-client-${clib}-server-${slib}.out -.if "${clib}" != "openssl" && "${slib}" != "openssl" && \ - "${cipher:C/AEAD-(AES.*-GCM|CHACHA.*-POLY.*)-SHA.*/TLS1_3/}" != TLS1_3 - # client and server 1.3 capable, not TLS 1.3 cipher -. if "${clib}" == "libressl" - # libressl client may prefer chacha-poly if aes-ni is not supported - egrep -q ' Cipher *: AEAD-(AES256-GCM-SHA384|CHACHA20-POLY1305-SHA256)$$' ${@:S/^check/client/}.out -. else - # openssl 1.1 generic client cipher - grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/client/}.out -. endif -. if "${clib}" == "libressl" - # libressl client may prefer chacha-poly if aes-ni is not supported -. if "${slib}" == "openssl11" - egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out -. else - egrep -q ' Cipher *: AEAD-(AES256-GCM-SHA384|CHACHA20-POLY1305-SHA256)$$' ${@:S/^check/server/}.out -. endif -. else -. if "${slib}" == "openssl11" - # openssl 1.1 generic server cipher - grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/server/}.out -. else - # libressl generic server cipher - grep -q ' Cipher *: AEAD-AES256-GCM-SHA384$$' ${@:S/^check/server/}.out -. endif -. endif -.else - grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out - grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out -.endif - -.endfor -.endfor -.endfor - -.include diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c deleted file mode 100644 index a8e66c2876..0000000000 --- a/src/regress/lib/libssl/interop/client.c +++ /dev/null @@ -1,273 +0,0 @@ -/* $OpenBSD: client.c,v 1.10 2020/09/14 00:51:04 bluhm Exp $ */ -/* - * Copyright (c) 2018-2019 Alexander Bluhm - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include -#include -#include -#include - -#include -#include - -#include "util.h" - -void __dead usage(void); - -void __dead -usage(void) -{ - fprintf(stderr, "usage: client [-Lsv] [-C CA] [-c crt -k key] " - "[-l ciphers] [-V version] host port\n"); - exit(2); -} - -int -main(int argc, char *argv[]) -{ - const SSL_METHOD *method; - SSL_CTX *ctx; - SSL *ssl; - BIO *bio; - SSL_SESSION *session = NULL; - int ch, error, listciphers = 0, sessionreuse = 0, verify = 0; - int version = 0; - char buf[256]; - char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL; - char *host_port, *host = "127.0.0.1", *port = "0"; - - while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) { - switch (ch) { - case 'C': - ca = optarg; - break; - case 'c': - crt = optarg; - break; - case 'k': - key = optarg; - break; - case 'L': - listciphers = 1; - break; - case 'l': - ciphers = optarg; - break; - case 's': - /* multiple reueses are possible */ - sessionreuse++; - break; - case 'V': - if (strcmp(optarg, "TLS1") == 0) { - version = TLS1_VERSION; - } else if (strcmp(optarg, "TLS1_1") == 0) { - version = TLS1_1_VERSION; - } else if (strcmp(optarg, "TLS1_2") == 0) { - version = TLS1_2_VERSION; -#ifdef TLS1_3_VERSION - } else if (strcmp(optarg, "TLS1_3") == 0) { - version = TLS1_3_VERSION; -#endif - } else { - errx(1, "unknown protocol version: %s", optarg); - } - break; - case 'v': - verify = 1; - break; - default: - usage(); - } - } - argc -= optind; - argv += optind; - if (argc == 2) { - host = argv[0]; - port = argv[1]; - } else if (!listciphers) { - usage(); - } - if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s", - host, port) == -1) - err(1, "asprintf host port"); - if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL)) - errx(1, "certificate and private key must be used together"); - - SSL_library_init(); - SSL_load_error_strings(); - print_version(); - - /* setup method and context */ -#if OPENSSL_VERSION_NUMBER >= 0x1010000f - method = TLS_client_method(); - if (method == NULL) - err_ssl(1, "TLS_client_method"); -#else - switch (version) { - case TLS1_VERSION: - method = TLSv1_client_method(); - break; - case TLS1_1_VERSION: - method = TLSv1_1_client_method(); - break; - case TLS1_2_VERSION: - method = TLSv1_2_client_method(); - break; -#ifdef TLS1_3_VERSION - case TLS1_3_VERSION: - err(1, "TLS1_3 not supported"); -#endif - default: - method = SSLv23_client_method(); - break; - } - if (method == NULL) - err_ssl(1, "SSLv23_client_method"); -#endif - ctx = SSL_CTX_new(method); - if (ctx == NULL) - err_ssl(1, "SSL_CTX_new"); - -#if OPENSSL_VERSION_NUMBER >= 0x1010000f - if (version) { - if (SSL_CTX_set_min_proto_version(ctx, version) != 1) - err_ssl(1, "SSL_CTX_set_min_proto_version"); - if (SSL_CTX_set_max_proto_version(ctx, version) != 1) - err_ssl(1, "SSL_CTX_set_max_proto_version"); - } -#endif - - /* load client certificate */ - if (crt != NULL) { - if (SSL_CTX_use_certificate_file(ctx, crt, - SSL_FILETYPE_PEM) <= 0) - err_ssl(1, "SSL_CTX_use_certificate_file"); - if (SSL_CTX_use_PrivateKey_file(ctx, key, - SSL_FILETYPE_PEM) <= 0) - err_ssl(1, "SSL_CTX_use_PrivateKey_file"); - if (SSL_CTX_check_private_key(ctx) <= 0) - err_ssl(1, "SSL_CTX_check_private_key"); - } - - /* verify server certificate */ - if (ca != NULL) { - if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0) - err_ssl(1, "SSL_CTX_load_verify_locations"); - } - SSL_CTX_set_verify(ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, - verify_callback); - - if (sessionreuse) { - SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT); - } - - if (ciphers) { - if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0) - err_ssl(1, "SSL_CTX_set_cipher_list"); - } - - if (listciphers) { - ssl = SSL_new(ctx); - if (ssl == NULL) - err_ssl(1, "SSL_new"); - print_ciphers(SSL_get_ciphers(ssl)); - return 0; - } - - do { - /* setup bio for socket operations */ - bio = BIO_new_connect(host_port); - if (bio == NULL) - err_ssl(1, "BIO_new_connect"); - - /* connect */ - if (BIO_do_connect(bio) <= 0) - err_ssl(1, "BIO_do_connect"); - printf("connect "); - print_sockname(bio); - printf("connect "); - print_peername(bio); - - /* do ssl client handshake */ - ssl = SSL_new(ctx); - if (ssl == NULL) - err_ssl(1, "SSL_new"); - SSL_set_bio(ssl, bio, bio); - /* resuse session if possible */ - if (session != NULL) { - if (SSL_set_session(ssl, session) <= 0) - err_ssl(1, "SSL_set_session"); - } - if ((error = SSL_connect(ssl)) <= 0) - err_ssl(1, "SSL_connect %d", error); - printf("session %d: %s\n", sessionreuse, - SSL_session_reused(ssl) ? "reuse" : "new"); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - - /* print session statistics */ - if (sessionreuse) { - session = SSL_get1_session(ssl); - if (session == NULL) - err_ssl(1, "SSL1_get_session"); - } else { - session = SSL_get_session(ssl); - if (session == NULL) - err_ssl(1, "SSL_get_session"); - } - if (SSL_SESSION_print_fp(stdout, session) <= 0) - err_ssl(1, "SSL_SESSION_print_fp"); - - /* read server greeting and write client hello over TLS */ - if ((error = SSL_read(ssl, buf, 9)) <= 0) - err_ssl(1, "SSL_read %d", error); - if (error != 9) - errx(1, "read not 9 bytes greeting: %d", error); - buf[9] = '\0'; - printf("<<< %s", buf); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - strlcpy(buf, "hello\n", sizeof(buf)); - printf(">>> %s", buf); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - if ((error = SSL_write(ssl, buf, 6)) <= 0) - err_ssl(1, "SSL_write %d", error); - if (error != 6) - errx(1, "write not 6 bytes hello: %d", error); - - /* shutdown connection */ - if ((error = SSL_shutdown(ssl)) < 0) - err_ssl(1, "SSL_shutdown unidirectional %d", error); - if (error <= 0) { - if ((error = SSL_shutdown(ssl)) <= 0) - err_ssl(1, "SSL_shutdown bidirectional %d", - error); - } - - SSL_free(ssl); - } while (sessionreuse--); - - SSL_CTX_free(ctx); - - printf("success\n"); - - return 0; -} diff --git a/src/regress/lib/libssl/interop/libressl/Makefile b/src/regress/lib/libssl/interop/libressl/Makefile deleted file mode 100644 index d8e20ca122..0000000000 --- a/src/regress/lib/libssl/interop/libressl/Makefile +++ /dev/null @@ -1,34 +0,0 @@ -# $OpenBSD: Makefile,v 1.9 2020/12/25 10:50:08 tb Exp $ - -PROGS = client server -CFLAGS += -DLIBRESSL_HAS_TLS1_3 -CPPFLAGS += -LDFLAGS += -LDADD += -lssl -lcrypto -DPADD += ${LIBSSL} ${LIBCRYPTO} -LD_LIBRARY_PATH = -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with LibreSSL - grep -q /usr/lib/libcrypto.so ldd-$p.out - grep -q /usr/lib/libssl.so ldd-$p.out - # check that $p is not linked with OpenSSL - ! grep /usr/local/lib/ ldd-$p.out - -run-version-$p: $p-self.out - # check that runtime version is LibreSSL - grep 'SSLEAY_VERSION: LibreSSL' $p-self.out - -run-protocol-$p: $p-self.out - # check that LibreSSL protocol version is TLS 1.3 - grep 'Protocol *: TLSv1.3' $p-self.out - -.endfor - -.include diff --git a/src/regress/lib/libssl/interop/netcat/Makefile b/src/regress/lib/libssl/interop/netcat/Makefile deleted file mode 100644 index f337d4aae8..0000000000 --- a/src/regress/lib/libssl/interop/netcat/Makefile +++ /dev/null @@ -1,84 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 2020/12/17 00:51:11 bluhm Exp $ - -LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl) -LIBRARIES += openssl -.endif -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 -.endif - -# run netcat server and connect with test client - -.for clib in ${LIBRARIES} - -REGRESS_TARGETS += run-netcat-client-${clib}-server-nc -REGRESS_TARGETS += run-protocol-client-${clib} - -run-netcat-client-${clib}-server-nc: ../${clib}/client 127.0.0.1.crt - echo "greeting" | \ - nc >${@:S/^run/server/}.out \ - -l -c -C 127.0.0.1.crt -K 127.0.0.1.key \ - 127.0.0.1 0 & \ - for i in `jot 1000`; do fstat -p $$! >netcat.fstat; \ - grep -q ' stream tcp .*:[1-9][0-9]*$$' netcat.fstat && \ - exit 0; done; exit 1 - LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ - ../${clib}/client >${@:S/^run/client/}.out \ - `sed -n 's/.* stream tcp .*:/127.0.0.1 /p' netcat.fstat` - # check that the client run successfully to the end - grep -q '^success$$' ${@:S/^run/client/}.out - # client must have read server greeting - grep -q '^<<< greeting$$' ${@:S/^run/client/}.out - # netstat server must have read client hello - grep -q '^hello$$' ${@:S/^run/server/}.out - -.endfor - -# run test server and connect with netcat client - -.for slib in ${LIBRARIES} - -REGRESS_TARGETS += run-netcat-client-nc-server-${slib} - -run-netcat-client-nc-server-${slib}: ../${slib}/server 127.0.0.1.crt - LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ - ../${slib}/server >${@:S/^run/server/}.out \ - 127.0.0.1 0 - echo "hello" | \ - nc >${@:S/^run/client/}.out \ - -c -R 127.0.0.1.crt \ - `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out` - # check that the server child run successfully to the end - grep -q '^success$$' ${@:S/^run/server/}.out || \ - { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; } - # server must have read client hello - grep -q '^<<< hello$$' ${@:S/^run/server/}.out - # client must have read server greeting - grep -q '^greeting$$' ${@:S/^run/client/}.out - -.endfor - -# check the TLS protocol version in client and server logs - -.for clib in ${LIBRARIES} - -REGRESS_TARGETS += run-protocol-client-${clib} - -run-protocol-client-${clib}: client-netcat-client-${clib}-server-nc.out - # check that LibTLS protocol version is TLS 1.2 or TLS 1.3 - grep 'Protocol *: TLSv1.[23]' client-netcat-client-${clib}-server-nc.out - -.endfor - -.for slib in ${LIBRARIES} - -REGRESS_TARGETS += run-protocol-server-${slib} - -run-protocol-server-${slib}: server-netcat-client-nc-server-${slib}.out - # check that LibTLS protocol version is TLS 1.2 or TLS 1.3 - grep 'Protocol *: TLSv1.[23]' server-netcat-client-nc-server-${slib}.out - -.endfor - -.include diff --git a/src/regress/lib/libssl/interop/openssl/Makefile b/src/regress/lib/libssl/interop/openssl/Makefile deleted file mode 100644 index 181d35aa02..0000000000 --- a/src/regress/lib/libssl/interop/openssl/Makefile +++ /dev/null @@ -1,42 +0,0 @@ -# $OpenBSD: Makefile,v 1.8 2020/12/17 00:51:11 bluhm Exp $ - -.if ! exists(/usr/local/bin/eopenssl) -regress: - # install openssl-1.0.2 from ports for interop tests - @echo SKIPPED -.else - -PROGS = client server -CPPFLAGS = -I /usr/local/include/eopenssl -LDFLAGS = -L /usr/local/lib/eopenssl -LDADD = -lssl -lcrypto -DPADD = /usr/local/lib/eopenssl/libssl.a \ - /usr/local/lib/eopenssl/libcrypto.a -LD_LIBRARY_PATH = /usr/local/lib/eopenssl -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with OpenSSL - grep -q /usr/local/lib/eopenssl/libcrypto.so ldd-$p.out - grep -q /usr/local/lib/eopenssl/libssl.so ldd-$p.out - # check that $p is not linked with LibreSSL - ! grep -v libc.so ldd-$p.out | grep /usr/lib/ - -run-version-$p: $p-self.out - # check that runtime version is OpenSSL 1.0.2 - grep 'SSLEAY_VERSION: OpenSSL 1.0.2' $p-self.out - -run-protocol-$p: $p-self.out - # check that OpenSSL 1.0.2 protocol version is TLS 1.2 - grep 'Protocol *: TLSv1.2' $p-self.out - -.endfor - -.endif # exists(/usr/local/bin/eopenssl) - -.include diff --git a/src/regress/lib/libssl/interop/openssl11/Makefile b/src/regress/lib/libssl/interop/openssl11/Makefile deleted file mode 100644 index 32fd611ae4..0000000000 --- a/src/regress/lib/libssl/interop/openssl11/Makefile +++ /dev/null @@ -1,42 +0,0 @@ -# $OpenBSD: Makefile,v 1.7 2020/12/17 00:51:11 bluhm Exp $ - -.if ! exists(/usr/local/bin/eopenssl11) -regress: - # install openssl-1.1 from ports for interop tests - @echo SKIPPED -.else - -PROGS = client server -CPPFLAGS = -I /usr/local/include/eopenssl11 -LDFLAGS = -L /usr/local/lib/eopenssl11 -LDADD = -lssl -lcrypto -DPADD = /usr/local/lib/eopenssl11/libssl.a \ - /usr/local/lib/eopenssl11/libcrypto.a -LD_LIBRARY_PATH = /usr/local/lib/eopenssl11 -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with OpenSSL 1.1 - grep -q /usr/local/lib/eopenssl11/libcrypto.so ldd-$p.out - grep -q /usr/local/lib/eopenssl11/libssl.so ldd-$p.out - # check that $p is not linked with LibreSSL - ! grep -v libc.so ldd-$p.out | grep /usr/lib/ - -run-version-$p: $p-self.out - # check that runtime version is OpenSSL 1.1 - grep 'SSLEAY_VERSION: OpenSSL 1.1' $p-self.out - -run-protocol-$p: $p-self.out - # check that OpenSSL 1.1 protocol version is TLS 1.3 - grep 'Protocol *: TLSv1.3' $p-self.out - -.endfor - -.endif # exists(/usr/local/bin/eopenssl11) - -.include diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c deleted file mode 100644 index 68e277a87b..0000000000 --- a/src/regress/lib/libssl/interop/server.c +++ /dev/null @@ -1,320 +0,0 @@ -/* $OpenBSD: server.c,v 1.10 2021/07/06 11:50:34 bluhm Exp $ */ -/* - * Copyright (c) 2018-2019 Alexander Bluhm - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include -#include -#include -#include -#include - -#include -#include - -#include "util.h" - -void __dead usage(void); - -void __dead -usage(void) -{ - fprintf(stderr, "usage: server [-Lsvv] [-C CA] [-c crt -k key] " - "[-l ciphers] [-p dhparam] [-V version] [host port]\n"); - exit(2); -} - -int -main(int argc, char *argv[]) -{ - const SSL_METHOD *method; - SSL_CTX *ctx; - SSL *ssl; - BIO *abio, *cbio; - SSL_SESSION *session; - int ch, error, listciphers = 0, sessionreuse = 0, verify = 0; - int version = 0; - char buf[256], *dhparam = NULL; - char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL; - char *host_port, *host = "127.0.0.1", *port = "0"; - - while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) { - switch (ch) { - case 'C': - ca = optarg; - break; - case 'c': - crt = optarg; - break; - case 'k': - key = optarg; - break; - case 'L': - listciphers = 1; - break; - case 'l': - ciphers = optarg; - break; - case 'p': - dhparam = optarg; - break; - case 's': - /* multiple reueses are possible */ - sessionreuse++; - break; - case 'V': - if (strcmp(optarg, "TLS1") == 0) { - version = TLS1_VERSION; - } else if (strcmp(optarg, "TLS1_1") == 0) { - version = TLS1_1_VERSION; - } else if (strcmp(optarg, "TLS1_2") == 0) { - version = TLS1_2_VERSION; -#ifdef TLS1_3_VERSION - } else if (strcmp(optarg, "TLS1_3") == 0) { - version = TLS1_3_VERSION; -#endif - } else { - errx(1, "unknown protocol version: %s", optarg); - } - break; - case 'v': - /* use twice to force client cert */ - verify++; - break; - default: - usage(); - } - } - argc -= optind; - argv += optind; - if (argc == 2) { - host = argv[0]; - port = argv[1]; - } else if (argc != 0 && !listciphers) { - usage(); - } - if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s", - host, port) == -1) - err(1, "asprintf host port"); - if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL)) - errx(1, "certificate and private key must be used together"); - if (crt == NULL && asprintf(&crt, "%s.crt", host) == -1) - err(1, "asprintf crt"); - if (key == NULL && asprintf(&key, "%s.key", host) == -1) - err(1, "asprintf key"); - - SSL_library_init(); - SSL_load_error_strings(); - print_version(); - - /* setup method and context */ -#if OPENSSL_VERSION_NUMBER >= 0x1010000f - method = TLS_server_method(); - if (method == NULL) - err_ssl(1, "TLS_server_method"); -#else - switch (version) { - case TLS1_VERSION: - method = TLSv1_server_method(); - break; - case TLS1_1_VERSION: - method = TLSv1_1_server_method(); - break; - case TLS1_2_VERSION: - method = TLSv1_2_server_method(); - break; -#ifdef TLS1_3_VERSION - case TLS1_3_VERSION: - err(1, "TLS1_3 not supported"); -#endif - default: - method = SSLv23_server_method(); - break; - } - if (method == NULL) - err_ssl(1, "SSLv23_server_method"); -#endif - ctx = SSL_CTX_new(method); - if (ctx == NULL) - err_ssl(1, "SSL_CTX_new"); - -#if OPENSSL_VERSION_NUMBER >= 0x1010000f - if (version) { - if (SSL_CTX_set_min_proto_version(ctx, version) != 1) - err_ssl(1, "SSL_CTX_set_min_proto_version"); - if (SSL_CTX_set_max_proto_version(ctx, version) != 1) - err_ssl(1, "SSL_CTX_set_max_proto_version"); - } -#endif - -#if OPENSSL_VERSION_NUMBER >= 0x10100000 - /* needed to use DHE cipher with libressl */ - if (SSL_CTX_set_dh_auto(ctx, 1) <= 0) - err_ssl(1, "SSL_CTX_set_dh_auto"); -#endif - /* needed to use ADH, EDH, DHE cipher with openssl */ - if (dhparam != NULL) { - DH *dh; - FILE *file; - - file = fopen(dhparam, "r"); - if (file == NULL) - err(1, "fopen %s", dhparam); - dh = PEM_read_DHparams(file, NULL, NULL, NULL); - if (dh == NULL) - err_ssl(1, "PEM_read_DHparams"); - if (SSL_CTX_set_tmp_dh(ctx, dh) <= 0) - err_ssl(1, "SSL_CTX_set_tmp_dh"); - fclose(file); - } - - /* needed when linking with OpenSSL 1.0.2p */ - if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0) - err_ssl(1, "SSL_CTX_set_ecdh_auto"); - - /* load server certificate */ - if (SSL_CTX_use_certificate_file(ctx, crt, SSL_FILETYPE_PEM) <= 0) - err_ssl(1, "SSL_CTX_use_certificate_file"); - if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) <= 0) - err_ssl(1, "SSL_CTX_use_PrivateKey_file"); - if (SSL_CTX_check_private_key(ctx) <= 0) - err_ssl(1, "SSL_CTX_check_private_key"); - - /* request client certificate and verify it */ - if (ca != NULL) { - STACK_OF(X509_NAME) *x509stack; - - x509stack = SSL_load_client_CA_file(ca); - if (x509stack == NULL) - err_ssl(1, "SSL_load_client_CA_file"); - SSL_CTX_set_client_CA_list(ctx, x509stack); - if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0) - err_ssl(1, "SSL_CTX_load_verify_locations"); - } - SSL_CTX_set_verify(ctx, - verify == 0 ? SSL_VERIFY_NONE : - verify == 1 ? SSL_VERIFY_PEER : - SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, - verify_callback); - - if (sessionreuse) { - uint32_t context; - - SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); - context = arc4random(); - if (SSL_CTX_set_session_id_context(ctx, - (unsigned char *)&context, sizeof(context)) <= 0) - err_ssl(1, "SSL_CTX_set_session_id_context"); - } - - if (ciphers) { - if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0) - err_ssl(1, "SSL_CTX_set_cipher_list"); - } - - if (listciphers) { - ssl = SSL_new(ctx); - if (ssl == NULL) - err_ssl(1, "SSL_new"); - print_ciphers(SSL_get_ciphers(ssl)); - return 0; - } - - /* setup bio for socket operations */ - abio = BIO_new_accept(host_port); - if (abio == NULL) - err_ssl(1, "BIO_new_accept"); - - /* bind, listen */ - if (BIO_do_accept(abio) <= 0) - err_ssl(1, "BIO_do_accept setup"); - printf("listen "); - print_sockname(abio); - - /* fork to background and set timeout */ - if (daemon(1, 1) == -1) - err(1, "daemon"); - alarm(10); - - do { - /* accept connection */ - if (BIO_do_accept(abio) <= 0) - err_ssl(1, "BIO_do_accept wait"); - cbio = BIO_pop(abio); - printf("accept "); - print_sockname(cbio); - printf("accept "); - print_peername(cbio); - - /* do ssl server handshake */ - ssl = SSL_new(ctx); - if (ssl == NULL) - err_ssl(1, "SSL_new"); - SSL_set_bio(ssl, cbio, cbio); - if ((error = SSL_accept(ssl)) <= 0) - err_ssl(1, "SSL_accept %d", error); - printf("session %d: %s\n", sessionreuse, - SSL_session_reused(ssl) ? "reuse" : "new"); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - - - /* print session statistics */ - session = SSL_get_session(ssl); - if (session == NULL) - err_ssl(1, "SSL_get_session"); - if (SSL_SESSION_print_fp(stdout, session) <= 0) - err_ssl(1, "SSL_SESSION_print_fp"); - - /* write server greeting and read client hello over TLS */ - strlcpy(buf, "greeting\n", sizeof(buf)); - printf(">>> %s", buf); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - if ((error = SSL_write(ssl, buf, 9)) <= 0) - err_ssl(1, "SSL_write %d", error); - if (error != 9) - errx(1, "write not 9 bytes greeting: %d", error); - if ((error = SSL_read(ssl, buf, 6)) <= 0) - err_ssl(1, "SSL_read %d", error); - if (error != 6) - errx(1, "read not 6 bytes hello: %d", error); - buf[6] = '\0'; - printf("<<< %s", buf); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - - /* shutdown connection */ - if ((error = SSL_shutdown(ssl)) < 0) - err_ssl(1, "SSL_shutdown unidirectional %d", error); - if (error <= 0) { - if ((error = SSL_shutdown(ssl)) <= 0) - err_ssl(1, "SSL_shutdown bidirectional %d", - error); - } - - SSL_free(ssl); - } while (sessionreuse--); - - SSL_CTX_free(ctx); - - printf("success\n"); - - return 0; -} diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile deleted file mode 100644 index 12d3eb2af7..0000000000 --- a/src/regress/lib/libssl/interop/session/Makefile +++ /dev/null @@ -1,46 +0,0 @@ -# $OpenBSD: Makefile,v 1.6 2020/12/17 00:51:11 bluhm Exp $ - -LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl) -LIBRARIES += openssl -.endif -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 -.endif - -run-session-client-libressl-server-libressl \ -run-session-client-libressl-server-openssl11 \ -run-session-client-openssl11-server-libressl \ -run-session-client-openssl11-server-openssl11: - # TLS 1.3 needs some extra setup for session reuse - @echo DISABLED - -.for clib in ${LIBRARIES} -.for slib in ${LIBRARIES} - -REGRESS_TARGETS += run-session-client-${clib}-server-${slib} - -run-session-client-${clib}-server-${slib}: \ - 127.0.0.1.crt ../${clib}/client ../${slib}/server - LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ - ../${slib}/server >${@:S/^run/server/}.out \ - -ss \ - 127.0.0.1 0 - LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ - ../${clib}/client >${@:S/^run/client/}.out \ - -ss \ - `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out` - grep '^success$$' ${@:S/^run/server/}.out || \ - { sleep 1; grep '^success$$' ${@:S/^run/server/}.out; } - grep '^success$$' ${@:S/^run/client/}.out - grep '^session 2: new$$' ${@:S/^run/server/}.out - grep '^session 2: new$$' ${@:S/^run/client/}.out - grep '^session 1: reuse$$' ${@:S/^run/server/}.out - grep '^session 1: reuse$$' ${@:S/^run/client/}.out - grep '^session 0: reuse$$' ${@:S/^run/server/}.out - grep '^session 0: reuse$$' ${@:S/^run/client/}.out - -.endfor -.endfor - -.include diff --git a/src/regress/lib/libssl/interop/util.c b/src/regress/lib/libssl/interop/util.c deleted file mode 100644 index 5190e81828..0000000000 --- a/src/regress/lib/libssl/interop/util.c +++ /dev/null @@ -1,145 +0,0 @@ -/* $OpenBSD: util.c,v 1.3 2018/11/09 06:30:41 bluhm Exp $ */ -/* - * Copyright (c) 2018 Alexander Bluhm - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include - -#include -#include -#include - -#include -#include -#include -#include - -#include "util.h" - -void -print_version(void) -{ -#ifdef OPENSSL_VERSION_NUMBER - printf("OPENSSL_VERSION_NUMBER: %#08lx\n", OPENSSL_VERSION_NUMBER); -#endif -#ifdef LIBRESSL_VERSION_NUMBER - printf("LIBRESSL_VERSION_NUMBER: %#08lx\n", LIBRESSL_VERSION_NUMBER); -#endif -#ifdef LIBRESSL_VERSION_TEXT - printf("LIBRESSL_VERSION_TEXT: %s\n", LIBRESSL_VERSION_TEXT); -#endif -#if OPENSSL_VERSION_NUMBER >= 0x1010000f - printf("OpenSSL_version_num: %#08lx\n", OpenSSL_version_num()); - printf("OpenSSL_version OPENSSL_VERSION: %s\n", - OpenSSL_version(OPENSSL_VERSION)); - printf("OpenSSL_version OPENSSL_CFLAGS: %s\n", - OpenSSL_version(OPENSSL_CFLAGS)); - printf("OpenSSL_version OPENSSL_BUILT_ON: %s\n", - OpenSSL_version(OPENSSL_BUILT_ON)); - printf("OpenSSL_version OPENSSL_PLATFORM: %s\n", - OpenSSL_version(OPENSSL_PLATFORM)); - printf("OpenSSL_version OPENSSL_DIR: %s\n", - OpenSSL_version(OPENSSL_DIR)); - printf("OpenSSL_version OPENSSL_ENGINES_DIR: %s\n", - OpenSSL_version(OPENSSL_ENGINES_DIR)); -#endif - printf("SSLeay: %#08lx\n", SSLeay()); - printf("SSLeay_version SSLEAY_VERSION: %s\n", - SSLeay_version(SSLEAY_VERSION)); - printf("SSLeay_version SSLEAY_CFLAGS: %s\n", - SSLeay_version(SSLEAY_CFLAGS)); - printf("SSLeay_version SSLEAY_BUILT_ON: %s\n", - SSLeay_version(SSLEAY_BUILT_ON)); - printf("SSLeay_version SSLEAY_PLATFORM: %s\n", - SSLeay_version(SSLEAY_PLATFORM)); - printf("SSLeay_version SSLEAY_DIR: %s\n", - SSLeay_version(SSLEAY_DIR)); -} - -void -print_ciphers(STACK_OF(SSL_CIPHER) *cstack) -{ - const SSL_CIPHER *cipher; - int i; - - for (i = 0; (cipher = sk_SSL_CIPHER_value(cstack, i)) != NULL; i++) - printf("cipher %s\n", SSL_CIPHER_get_name(cipher)); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); -} - -void -print_sockname(BIO *bio) -{ - struct sockaddr_storage ss; - socklen_t slen; - char host[NI_MAXHOST], port[NI_MAXSERV]; - int fd; - - if (BIO_get_fd(bio, &fd) <= 0) - err_ssl(1, "BIO_get_fd"); - slen = sizeof(ss); - if (getsockname(fd, (struct sockaddr *)&ss, &slen) == -1) - err(1, "getsockname"); - if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host, - sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV)) - errx(1, "getnameinfo"); - printf("sock: %s %s\n", host, port); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); -} - -void -print_peername(BIO *bio) -{ - struct sockaddr_storage ss; - socklen_t slen; - char host[NI_MAXHOST], port[NI_MAXSERV]; - int fd; - - if (BIO_get_fd(bio, &fd) <= 0) - err_ssl(1, "BIO_get_fd"); - slen = sizeof(ss); - if (getpeername(fd, (struct sockaddr *)&ss, &slen) == -1) - err(1, "getpeername"); - if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host, - sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV)) - errx(1, "getnameinfo"); - printf("peer: %s %s\n", host, port); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); -} - -void -err_ssl(int eval, const char *fmt, ...) -{ - va_list ap; - - ERR_print_errors_fp(stderr); - va_start(ap, fmt); - verrx(eval, fmt, ap); - va_end(ap); -} - -int -verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) -{ - printf("verify: %s\n", preverify_ok ? "pass" : "fail"); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - - return preverify_ok; -} diff --git a/src/regress/lib/libssl/interop/util.h b/src/regress/lib/libssl/interop/util.h deleted file mode 100644 index 7414a037d7..0000000000 --- a/src/regress/lib/libssl/interop/util.h +++ /dev/null @@ -1,23 +0,0 @@ -/* $OpenBSD: util.h,v 1.3 2018/11/09 06:30:41 bluhm Exp $ */ -/* - * Copyright (c) 2018 Alexander Bluhm - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -void print_version(void); -void print_ciphers(STACK_OF(SSL_CIPHER) *); -void print_sockname(BIO *); -void print_peername(BIO *); -void err_ssl(int, const char *, ...); -int verify_callback(int, X509_STORE_CTX *); diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile deleted file mode 100644 index 7ac86ccbeb..0000000000 --- a/src/regress/lib/libssl/interop/version/Makefile +++ /dev/null @@ -1,103 +0,0 @@ -# $OpenBSD: Makefile,v 1.3 2020/12/17 00:51:12 bluhm Exp $ - -# Connect a client to a server. Both can be current libressl, or -# openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS -# version number. Incompatible versions must fail. Check that client -# and server have used correct version by grepping in their session -# print out. - -LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl) -LIBRARIES += openssl -.endif -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 -.endif - -VERSIONS = any TLS1 TLS1_1 TLS1_2 TLS1_3 - -.for cver in ${VERSIONS} -.for sver in ${VERSIONS} - -.if "${cver}" == any || "${sver}" == any || "${cver}" == "${sver}" -FAIL_${cver}_${sver} = -.else -FAIL_${cver}_${sver} = ! -.endif - -.for clib in ${LIBRARIES} -.for slib in ${LIBRARIES} - -.if ("${clib}" != openssl && "${slib}" != openssl) || \ - ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) - -.if ("${clib}" == "libressl" || "${slib}" == "libressl") -REGRESS_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver} -.else -REGRESS_SLOW_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver} -.endif - -run-version-client-${clib}-${cver}-server-${slib}-${sver} \ -client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \ -server-version-client-${clib}-${cver}-server-${slib}-${sver}.out: \ - 127.0.0.1.crt ../${clib}/client ../${slib}/server - LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ - ../${slib}/server >${@:S/^run/server/}.out \ - -c 127.0.0.1.crt -k 127.0.0.1.key \ - ${sver:Nany:S/^/-V /} \ - 127.0.0.1 0 - ${FAIL_${cver}_${sver}} \ - LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ - ../${clib}/client >${@:S/^run/client/}.out \ - ${cver:Nany:S/^/-V /} \ - `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out` -.if empty(${FAIL_${cver}_${sver}}) - grep -q '^success$$' ${@:S/^run/server/}.out || \ - { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; } - grep -q '^success$$' ${@:S/^run/client/}.out -.endif - -.if empty(${FAIL_${cver}_${sver}}) - -.if ("${clib}" == "libressl" || "${slib}" == "libressl") -REGRESS_TARGETS += check-version-client-${clib}-${cver}-server-${slib}-${sver} -.else -REGRESS_SLOW_TARGETS += check-version-client-${clib}-${cver}-server-${slib}-${sver} -.endif - -check-version-client-${clib}-${cver}-server-${slib}-${sver}: \ - client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \ - server-version-client-${clib}-${cver}-server-${slib}-${sver}.out - @grep ' Protocol *: ' ${@:S/^check/client/}.out - @grep ' Protocol *: ' ${@:S/^check/server/}.out -.if "${cver}" == any -.if "${sver}" == any -.if "${clib}" == openssl || "${slib}" == openssl - grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/client/}.out - grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/server/}.out -.else - grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out - grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out -.endif -.else - grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \ - ${@:S/^check/client/}.out - grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \ - ${@:S/^check/server/}.out -.endif -.else - grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \ - ${@:S/^check/client/}.out - grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \ - ${@:S/^check/server/}.out -.endif -.endif - -.endif - -.endfor -.endfor -.endfor -.endfor - -.include -- cgit v1.2.3-55-g6feb