From d25f32ed32ab5666e77ae5843fcd4f087baf139a Mon Sep 17 00:00:00 2001 From: tb <> Date: Wed, 9 Jul 2025 17:48:02 +0000 Subject: libcrypto regress: add interop harness for openssl/3.5 --- src/regress/lib/libssl/interop/Makefile | 4 +-- src/regress/lib/libssl/interop/botan/Makefile | 5 ++- src/regress/lib/libssl/interop/cert/Makefile | 5 ++- src/regress/lib/libssl/interop/cipher/Makefile | 11 ++++-- src/regress/lib/libssl/interop/netcat/Makefile | 5 ++- src/regress/lib/libssl/interop/openssl35/Makefile | 44 +++++++++++++++++++++++ src/regress/lib/libssl/interop/session/Makefile | 5 ++- src/regress/lib/libssl/interop/version/Makefile | 6 +++- 8 files changed, 75 insertions(+), 10 deletions(-) create mode 100644 src/regress/lib/libssl/interop/openssl35/Makefile (limited to 'src') diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile index bdc67f627a..acb5d18205 100644 --- a/src/regress/lib/libssl/interop/Makefile +++ b/src/regress/lib/libssl/interop/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.21 2025/01/15 10:54:17 tb Exp $ +# $OpenBSD: Makefile,v 1.22 2025/07/09 17:48:02 tb Exp $ -SUBDIR = libressl openssl33 openssl34 +SUBDIR = libressl openssl33 openssl34 openssl35 # the above binaries must have been built before we can continue SUBDIR += netcat diff --git a/src/regress/lib/libssl/interop/botan/Makefile b/src/regress/lib/libssl/interop/botan/Makefile index 85877d4290..1464cf84a8 100644 --- a/src/regress/lib/libssl/interop/botan/Makefile +++ b/src/regress/lib/libssl/interop/botan/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $ +# $OpenBSD: Makefile,v 1.11 2025/07/09 17:48:02 tb Exp $ .include @@ -26,6 +26,9 @@ LIBRARIES += openssl33 .if exists(/usr/local/bin/eopenssl34) LIBRARIES += openssl34 .endif +.if exists(/usr/local/bin/eopenssl35) +LIBRARIES += openssl35 +.endif PROGS = client SRCS_client = client.cpp diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile index 74c63c86a8..8f05e3f84d 100644 --- a/src/regress/lib/libssl/interop/cert/Makefile +++ b/src/regress/lib/libssl/interop/cert/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.14 2025/01/15 10:54:17 tb Exp $ +# $OpenBSD: Makefile,v 1.15 2025/07/09 17:48:02 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 3.x. Create client and server certificates @@ -13,6 +13,9 @@ LIBRARIES += openssl33 .if exists(/usr/local/bin/eopenssl34) LIBRARIES += openssl34 .endif +.if exists(/usr/local/bin/eopenssl35) +LIBRARIES += openssl35 +.endif .for cca in noca ca fakeca .for sca in noca ca fakeca diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile index fa7e25f9ee..6693b962d0 100644 --- a/src/regress/lib/libssl/interop/cipher/Makefile +++ b/src/regress/lib/libssl/interop/cipher/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.17 2025/01/15 10:54:17 tb Exp $ +# $OpenBSD: Makefile,v 1.18 2025/07/09 17:48:02 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or 3.0. Create lists of supported ciphers @@ -13,6 +13,9 @@ LIBRARIES += openssl33 .if exists(/usr/local/bin/eopenssl34) LIBRARIES += openssl34 .endif +.if exists(/usr/local/bin/eopenssl35) +LIBRARIES += openssl35 +.endif CLEANFILES = *.tmp *.ciphers ciphers.mk @@ -42,7 +45,8 @@ client-${clib}-server-${slib}.ciphers: \ # we are only interested in ciphers supported by libressl sort $@ client-libressl.ciphers >$@.tmp . if "${clib}" == "openssl33" || "${slib}" == "openssl33" || \ - "${clib}" == "openssl34" || "${slib}" == "openssl34" + "${clib}" == "openssl34" || "${slib}" == "openssl34" || \ + "${clib}" == "openssl35" || "${slib}" == "openssl35" # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers sed -i '/^TLS_/d' $@.tmp . endif @@ -72,6 +76,7 @@ regress: ciphers.mk LEVEL_libressl = LEVEL_openssl33 = ,@SECLEVEL=0 LEVEL_openssl34 = ,@SECLEVEL=0 +LEVEL_openssl35 = ,@SECLEVEL=0 .for clib in ${LIBRARIES} .for slib in ${LIBRARIES} @@ -132,7 +137,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \ . endif . if "${clib}" == "libressl" # libressl client may prefer chacha-poly if aes-ni is not supported -. if "${slib}" == "openssl33" || "${slib}" == "openssl34" +. if "${slib}" == "openssl33" || "${slib}" == "openssl34" || "${slib}" == "openssl35" egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out . else egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out diff --git a/src/regress/lib/libssl/interop/netcat/Makefile b/src/regress/lib/libssl/interop/netcat/Makefile index 3b8e3f95be..0f2864ccca 100644 --- a/src/regress/lib/libssl/interop/netcat/Makefile +++ b/src/regress/lib/libssl/interop/netcat/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $ +# $OpenBSD: Makefile,v 1.11 2025/07/09 17:48:02 tb Exp $ LIBRARIES = libressl .if exists(/usr/local/bin/eopenssl33) @@ -7,6 +7,9 @@ LIBRARIES += openssl33 .if exists(/usr/local/bin/eopenssl34) LIBRARIES += openssl34 .endif +.if exists(/usr/local/bin/eopenssl35) +LIBRARIES += openssl35 +.endif # run netcat server and connect with test client diff --git a/src/regress/lib/libssl/interop/openssl35/Makefile b/src/regress/lib/libssl/interop/openssl35/Makefile new file mode 100644 index 0000000000..e11ad5dd20 --- /dev/null +++ b/src/regress/lib/libssl/interop/openssl35/Makefile @@ -0,0 +1,44 @@ +# $OpenBSD: Makefile,v 1.1 2025/07/09 17:48:02 tb Exp $ + +.if ! exists(/usr/local/bin/eopenssl35) +regress: + # install openssl-3.5 from ports for interop tests + @echo 'Run "pkg_add openssl--%3.5" to run tests against OpenSSL 3.5' + @echo SKIPPED +.else + +PROGS = client server +CFLAGS += -DOPENSSL_SUPPRESS_DEPRECATED +CPPFLAGS = -I /usr/local/include/eopenssl35 +LDFLAGS = -L /usr/local/lib/eopenssl35 +LDADD = -lssl -lcrypto +DPADD = /usr/local/lib/eopenssl35/libssl.a \ + /usr/local/lib/eopenssl35/libcrypto.a +LD_LIBRARY_PATH = /usr/local/lib/eopenssl35 +REGRESS_TARGETS = run-self-client-server +.for p in ${PROGS} +REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p +.endfor + +.for p in ${PROGS} + +run-ldd-$p: ldd-$p.out + # check that $p is linked with OpenSSL 3.5 + grep -q /usr/local/lib/eopenssl35/libcrypto.so ldd-$p.out + grep -q /usr/local/lib/eopenssl35/libssl.so ldd-$p.out + # check that $p is not linked with LibreSSL + ! grep -v -e libc.so -e libpthread.so ldd-$p.out | grep /usr/lib/ + +run-version-$p: $p-self.out + # check that runtime version is OpenSSL 3.5 + grep 'SSLEAY_VERSION: OpenSSL 3.5' $p-self.out + +run-protocol-$p: $p-self.out + # check that OpenSSL 3.5 protocol version is TLS 1.3 + grep 'Protocol *: TLSv1.3' $p-self.out + +.endfor + +.endif # exists(/usr/local/bin/eopenssl35) + +.include diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile index e9a353f99e..4670240f9f 100644 --- a/src/regress/lib/libssl/interop/session/Makefile +++ b/src/regress/lib/libssl/interop/session/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.12 2025/01/15 10:54:17 tb Exp $ +# $OpenBSD: Makefile,v 1.13 2025/07/09 17:48:02 tb Exp $ LIBRARIES = libressl .if exists(/usr/local/bin/eopenssl33) @@ -7,6 +7,9 @@ LIBRARIES = libressl .if exists(/usr/local/bin/eopenssl34) #LIBRARIES += openssl34 .endif +.if exists(/usr/local/bin/eopenssl35) +#LIBRARIES += openssl35 +.endif run-session-client-libressl-server-libressl: # TLS 1.3 needs some extra setup for session reuse diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile index 605fba252f..133fc29629 100644 --- a/src/regress/lib/libssl/interop/version/Makefile +++ b/src/regress/lib/libssl/interop/version/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $ +# $OpenBSD: Makefile,v 1.11 2025/07/09 17:48:02 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS @@ -13,6 +13,9 @@ LIBRARIES += openssl33 .if exists(/usr/local/bin/eopenssl34) LIBRARIES += openssl34 .endif +.if exists(/usr/local/bin/eopenssl35) +LIBRARIES += openssl35 +.endif VERSIONS = any TLS1_2 TLS1_3 @@ -31,6 +34,7 @@ FAIL_${cver}_${sver} = ! .if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \ ((("${clib}" != openssl33 && "${slib}" != openssl33)) || \ (("${clib}" != openssl34 && "${slib}" != openssl34)) || \ + (("${clib}" != openssl35 && "${slib}" != openssl35)) || \ (("${cver}" != any && "${sver}" != any) && \ ("${cver}" != TLS1 && "${sver}" != TLS1) && \ ("${cver}" != TLS1_1 && "${sver}" != TLS1_1))) -- cgit v1.2.3-55-g6feb