-# $OpenBSD: Makefile,v 1.16 2023/01/27 08:28:36 tb Exp $
+# $OpenBSD: Makefile,v 1.17 2023/02/01 14:39:09 tb Exp $
-SUBDIR = libressl openssl openssl11 openssl30
+SUBDIR = libressl openssl11 openssl30
# the above binaries must have been built before we can continue
SUBDIR += netcat
# What is below takes a long time.
# setting REGRESS_SKIP_SLOW to "yes" in mk.conf
# will skip the tests that do not test libressl
-# but do things like test openssl to openssl11
+# but do things like test openssl11 to openssl30
SUBDIR += version
SUBDIR += cipher
# This takes a really long time.
Test TLS interoperability between LibreSSL and OpenSSL.
Implement simple SSL client and server in C. Create six binaries
-by linking them with LibreSSL or OpenSSL 1.0.2 or OpenSSL 1.1. This
+by linking them with LibreSSL or OpenSSL 1.1 or OpenSSL 3.0. This
way API compatibility is tested.
To self test each SSL library, connect client with server. Check
that the highest available TLS version is selected. LibreSSL TLS
1.3 check has to be enabled when the feature becomes available.
-Currently OpenSSL 1.0.2p and OpenSSL 1.1.1 from ports are used. As
-soon as LibreSSL supports TLS 1.3, it should be used automatically
-when netcat is communicating with OpenSSL 1.1.
-
Connect and accept with netcat to test protocol compatibility with
libtls. Test TLS session reuse multiple times with different library
combinations. The cert subdir is testing all combinations of
-# $OpenBSD: Makefile,v 1.8 2023/01/27 08:28:36 tb Exp $
+# $OpenBSD: Makefile,v 1.9 2023/02/01 14:39:09 tb Exp $
# Connect a client to a server. Both can be current libressl, or
-# openssl 1.0.2, 1.1, or 3.0. Create client and server certificates
+# openssl 1.1 or 3.0. Create client and server certificates
# that are signed by a CA and not signed by a fake CA. Try all
# combinations with, without, and with wrong CA for client and server
# and check the result of certificate verification.
LIBRARIES = libressl
-.if exists(/usr/local/bin/eopenssl)
-LIBRARIES += openssl
-.endif
.if exists(/usr/local/bin/eopenssl11)
LIBRARIES += openssl11
.endif
-# $OpenBSD: Makefile,v 1.10 2023/01/27 08:28:36 tb Exp $
+# $OpenBSD: Makefile,v 1.11 2023/02/01 14:39:09 tb Exp $
# Connect a client to a server. Both can be current libressl, or
-# openssl 1.0.2, 1.1, or 3.0. Create lists of supported ciphers
+# openssl 1.1 or 3.0. Create lists of supported ciphers
# and pin client and server to one of the ciphers. Use server
# certificate with compatible type. Check that client and server
# have used correct cipher by grepping in their session print out.
@echo DISABLED
LIBRARIES = libressl
-.if exists(/usr/local/bin/eopenssl)
-LIBRARIES += openssl
-.endif
.if exists(/usr/local/bin/eopenssl11)
LIBRARIES += openssl11
.endif
.endif
LEVEL_libressl =
-LEVEL_openssl =
LEVEL_openssl11 = ,@SECLEVEL=0
LEVEL_openssl30 = ,@SECLEVEL=0
TYPE_${cipher} = 127.0.0.1
.endif
-.if "${slib}" == "openssl" && \
- "${cipher:MADH-*}${cipher:MEDH-*}${cipher:MDHE-*}" != ""
-DHPARAM_${cipher}_${slib} = -p dh.param
-.else
DHPARAM_${cipher}_${slib} =
-.endif
.if ("${clib}" == "libressl" || "${slib}" == "libressl")
REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib}
check-cipher-${cipher}-client-${clib}-server-${slib}: \
client-cipher-${cipher}-client-${clib}-server-${slib}.out \
server-cipher-${cipher}-client-${clib}-server-${slib}.out
-.if "${clib}" != "openssl" && "${slib}" != "openssl" && \
- "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3
+.if "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3
# client and server 1.3 capable, not TLS 1.3 cipher
. if "${clib}" == "libressl"
# libressl client may prefer chacha-poly if aes-ni is not supported
+++ /dev/null
-# $OpenBSD: Makefile,v 1.9 2021/12/02 17:10:53 kn Exp $
-
-.if ! exists(/usr/local/bin/eopenssl)
-regress:
- # install openssl-1.0.2 from ports for interop tests
- @echo 'Run "pkg_add openssl--%1.0.2" to run tests against OpenSSL 1.0.2'
- @echo SKIPPED
-.else
-
-PROGS = client server
-CPPFLAGS = -I /usr/local/include/eopenssl
-LDFLAGS = -L /usr/local/lib/eopenssl
-LDADD = -lssl -lcrypto
-DPADD = /usr/local/lib/eopenssl/libssl.a \
- /usr/local/lib/eopenssl/libcrypto.a
-LD_LIBRARY_PATH = /usr/local/lib/eopenssl
-REGRESS_TARGETS = run-self-client-server
-.for p in ${PROGS}
-REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p
-.endfor
-
-.for p in ${PROGS}
-
-run-ldd-$p: ldd-$p.out
- # check that $p is linked with OpenSSL
- grep -q /usr/local/lib/eopenssl/libcrypto.so ldd-$p.out
- grep -q /usr/local/lib/eopenssl/libssl.so ldd-$p.out
- # check that $p is not linked with LibreSSL
- ! grep -v libc.so ldd-$p.out | grep /usr/lib/
-
-run-version-$p: $p-self.out
- # check that runtime version is OpenSSL 1.0.2
- grep 'SSLEAY_VERSION: OpenSSL 1.0.2' $p-self.out
-
-run-protocol-$p: $p-self.out
- # check that OpenSSL 1.0.2 protocol version is TLS 1.2
- grep 'Protocol *: TLSv1.2' $p-self.out
-
-.endfor
-
-.endif # exists(/usr/local/bin/eopenssl)
-
-.include <bsd.regress.mk>
-/* $OpenBSD: server.c,v 1.11 2022/07/07 13:12:57 tb Exp $ */
+/* $OpenBSD: server.c,v 1.12 2023/02/01 14:39:09 tb Exp $ */
/*
* Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
*
version = TLS1_1_VERSION;
} else if (strcmp(optarg, "TLS1_2") == 0) {
version = TLS1_2_VERSION;
-#ifdef TLS1_3_VERSION
} else if (strcmp(optarg, "TLS1_3") == 0) {
version = TLS1_3_VERSION;
-#endif
} else {
errx(1, "unknown protocol version: %s", optarg);
}
fclose(file);
}
- /* needed when linking with OpenSSL 1.0.2p */
- if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0)
- err_ssl(1, "SSL_CTX_set_ecdh_auto");
-
/* load server certificate */
if (SSL_CTX_use_certificate_file(ctx, crt, SSL_FILETYPE_PEM) <= 0)
err_ssl(1, "SSL_CTX_use_certificate_file");
if (listciphers) {
STACK_OF(SSL_CIPHER) *supported_ciphers;
-#if OPENSSL_VERSION_NUMBER < 0x1010000f
-#define SSL_get1_supported_ciphers SSL_get_ciphers
-#endif
ssl = SSL_new(ctx);
if (ssl == NULL)
err_ssl(1, "SSL_new");
err_ssl(1, "SSL_get1_supported_ciphers");
print_ciphers(supported_ciphers);
-#if OPENSSL_VERSION_NUMBER >= 0x1010000f
sk_SSL_CIPHER_free(supported_ciphers);
-#endif
return 0;
}
-# $OpenBSD: Makefile,v 1.4 2023/01/27 08:28:36 tb Exp $
+# $OpenBSD: Makefile,v 1.5 2023/02/01 14:39:09 tb Exp $
# Connect a client to a server. Both can be current libressl, or
-# openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS
+# openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS
# version number. Incompatible versions must fail. Check that client
# and server have used correct version by grepping in their session
# print out.
LIBRARIES = libressl
-.if exists(/usr/local/bin/eopenssl)
-LIBRARIES += openssl
-.endif
.if exists(/usr/local/bin/eopenssl11)
LIBRARIES += openssl11
.endif
.for clib in ${LIBRARIES}
.for slib in ${LIBRARIES}
-.if (("${clib}" != openssl && "${slib}" != openssl) || \
- ("${cver}" != TLS1_3 && "${sver}" != TLS1_3)) && \
+.if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \
(("${clib}" != openssl30 && "${slib}" != openssl30) || \
(("${cver}" != any && "${sver}" != any) && \
("${cver}" != TLS1 && "${sver}" != TLS1) && \
@grep ' Protocol *: ' ${@:S/^check/server/}.out
.if "${cver}" == any
.if "${sver}" == any
-.if "${clib}" == openssl || "${slib}" == openssl
- grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/client/}.out
- grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/server/}.out
-.else
grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out
grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out
-.endif
.else
grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \
${@:S/^check/client/}.out
projects / openbsd / commitdiff