From 416f6443c32059b6a72a8e533d875fd66c49b092 Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 27 Jan 2023 08:28:36 +0000 Subject: [PATCH] Add openssl 3.0 interop tests The plan is to retire the 1.0.2 interop tests soon so as to be able to drop the dead and dangerous OpenSSL 1.0.2 port. The cert part is extremely slow on arm64: the whole interop test on an m1 is about 10x slower (~45 min!) than on a modern amd64 laptop, so people running regress may want to wait a bit with adding OpenSSL 3 to their test boxes until this is sorted out. --- regress/lib/libssl/interop/Makefile | 4 +- regress/lib/libssl/interop/cert/Makefile | 7 ++- regress/lib/libssl/interop/cipher/Makefile | 15 ++++--- regress/lib/libssl/interop/openssl30/Makefile | 43 +++++++++++++++++++ regress/lib/libssl/interop/version/Makefile | 13 ++++-- 5 files changed, 70 insertions(+), 12 deletions(-) create mode 100644 regress/lib/libssl/interop/openssl30/Makefile diff --git a/regress/lib/libssl/interop/Makefile b/regress/lib/libssl/interop/Makefile index 789ff00e7f1..2f6b165ae65 100644 --- a/regress/lib/libssl/interop/Makefile +++ b/regress/lib/libssl/interop/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.15 2021/08/30 17:34:02 tb Exp $ +# $OpenBSD: Makefile,v 1.16 2023/01/27 08:28:36 tb Exp $ -SUBDIR = libressl openssl openssl11 +SUBDIR = libressl openssl openssl11 openssl30 # the above binaries must have been built before we can continue SUBDIR += netcat diff --git a/regress/lib/libssl/interop/cert/Makefile b/regress/lib/libssl/interop/cert/Makefile index 6698975d7e8..6156a988ae7 100644 --- a/regress/lib/libssl/interop/cert/Makefile +++ b/regress/lib/libssl/interop/cert/Makefile @@ -1,7 +1,7 @@ -# $OpenBSD: Makefile,v 1.7 2021/09/03 11:58:24 bluhm Exp $ +# $OpenBSD: Makefile,v 1.8 2023/01/27 08:28:36 tb Exp $ # Connect a client to a server. Both can be current libressl, or -# openssl 1.0.2, or openssl 1.1. Create client and server certificates +# openssl 1.0.2, 1.1, or 3.0. Create client and server certificates # that are signed by a CA and not signed by a fake CA. Try all # combinations with, without, and with wrong CA for client and server # and check the result of certificate verification. @@ -13,6 +13,9 @@ LIBRARIES += openssl .if exists(/usr/local/bin/eopenssl11) LIBRARIES += openssl11 .endif +.if exists(/usr/local/bin/eopenssl30) +LIBRARIES += openssl30 +.endif .for cca in noca ca fakeca .for sca in noca ca fakeca diff --git a/regress/lib/libssl/interop/cipher/Makefile b/regress/lib/libssl/interop/cipher/Makefile index bfe8cfea7ae..46951f67821 100644 --- a/regress/lib/libssl/interop/cipher/Makefile +++ b/regress/lib/libssl/interop/cipher/Makefile @@ -1,7 +1,7 @@ -# $OpenBSD: Makefile,v 1.9 2022/02/05 18:34:06 tb Exp $ +# $OpenBSD: Makefile,v 1.10 2023/01/27 08:28:36 tb Exp $ # Connect a client to a server. Both can be current libressl, or -# openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers +# openssl 1.0.2, 1.1, or 3.0. Create lists of supported ciphers # and pin client and server to one of the ciphers. Use server # certificate with compatible type. Check that client and server # have used correct cipher by grepping in their session print out. @@ -24,6 +24,9 @@ LIBRARIES += openssl .if exists(/usr/local/bin/eopenssl11) LIBRARIES += openssl11 .endif +.if exists(/usr/local/bin/eopenssl30) +LIBRARIES += openssl30 +.endif CLEANFILES = *.tmp *.ciphers ciphers.mk @@ -52,8 +55,9 @@ client-${clib}-server-${slib}.ciphers: \ uniq -d <$@.tmp >$@ # we are only interested in ciphers supported by libressl sort $@ client-libressl.ciphers >$@.tmp -. if "${clib}" == "openssl11" || "${slib}" == "openssl11" - # OpenSSL 1.1's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers +. if "${clib}" == "openssl11" || "${slib}" == "openssl11" || \ + "${clib}" == "openssl30" || "${slib}" == "openssl30" + # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers sed -i '/^TLS_/d' $@.tmp . endif uniq -d <$@.tmp >$@ @@ -82,6 +86,7 @@ regress: ciphers.mk LEVEL_libressl = LEVEL_openssl = LEVEL_openssl11 = ,@SECLEVEL=0 +LEVEL_openssl30 = ,@SECLEVEL=0 .for clib in ${LIBRARIES} .for slib in ${LIBRARIES} @@ -148,7 +153,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \ . endif . if "${clib}" == "libressl" # libressl client may prefer chacha-poly if aes-ni is not supported -. if "${slib}" == "openssl11" +. if "${slib}" == "openssl11" || "${slib}" == "openssl30" egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out . else egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out diff --git a/regress/lib/libssl/interop/openssl30/Makefile b/regress/lib/libssl/interop/openssl30/Makefile new file mode 100644 index 00000000000..d667d1b17ee --- /dev/null +++ b/regress/lib/libssl/interop/openssl30/Makefile @@ -0,0 +1,43 @@ +# $OpenBSD: Makefile,v 1.1 2023/01/27 08:28:36 tb Exp $ + +.if ! exists(/usr/local/bin/eopenssl30) +regress: + # install openssl-3.0 from ports for interop tests + @echo 'Run "pkg_add openssl--%3.0" to run tests against OpenSSL 3.0' + @echo SKIPPED +.else + +PROGS = client server +CPPFLAGS = -I /usr/local/include/eopenssl30 +LDFLAGS = -L /usr/local/lib/eopenssl30 +LDADD = -lssl -lcrypto +DPADD = /usr/local/lib/eopenssl30/libssl.a \ + /usr/local/lib/eopenssl30/libcrypto.a +LD_LIBRARY_PATH = /usr/local/lib/eopenssl30 +REGRESS_TARGETS = run-self-client-server +.for p in ${PROGS} +REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p +.endfor + +.for p in ${PROGS} + +run-ldd-$p: ldd-$p.out + # check that $p is linked with OpenSSL 3.0 + grep -q /usr/local/lib/eopenssl30/libcrypto.so ldd-$p.out + grep -q /usr/local/lib/eopenssl30/libssl.so ldd-$p.out + # check that $p is not linked with LibreSSL + ! grep -v libc.so ldd-$p.out | grep /usr/lib/ + +run-version-$p: $p-self.out + # check that runtime version is OpenSSL 3.0 + grep 'SSLEAY_VERSION: OpenSSL 3.0' $p-self.out + +run-protocol-$p: $p-self.out + # check that OpenSSL 3.0 protocol version is TLS 1.3 + grep 'Protocol *: TLSv1.3' $p-self.out + +.endfor + +.endif # exists(/usr/local/bin/eopenssl30) + +.include diff --git a/regress/lib/libssl/interop/version/Makefile b/regress/lib/libssl/interop/version/Makefile index 7ac86ccbeb6..7b1be9a3edf 100644 --- a/regress/lib/libssl/interop/version/Makefile +++ b/regress/lib/libssl/interop/version/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.3 2020/12/17 00:51:12 bluhm Exp $ +# $OpenBSD: Makefile,v 1.4 2023/01/27 08:28:36 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS @@ -13,6 +13,9 @@ LIBRARIES += openssl .if exists(/usr/local/bin/eopenssl11) LIBRARIES += openssl11 .endif +.if exists(/usr/local/bin/eopenssl30) +LIBRARIES += openssl30 +.endif VERSIONS = any TLS1 TLS1_1 TLS1_2 TLS1_3 @@ -28,8 +31,12 @@ FAIL_${cver}_${sver} = ! .for clib in ${LIBRARIES} .for slib in ${LIBRARIES} -.if ("${clib}" != openssl && "${slib}" != openssl) || \ - ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) +.if (("${clib}" != openssl && "${slib}" != openssl) || \ + ("${cver}" != TLS1_3 && "${sver}" != TLS1_3)) && \ + (("${clib}" != openssl30 && "${slib}" != openssl30) || \ + (("${cver}" != any && "${sver}" != any) && \ + ("${cver}" != TLS1 && "${sver}" != TLS1) && \ + ("${cver}" != TLS1_1 && "${sver}" != TLS1_1))) .if ("${clib}" == "libressl" || "${slib}" == "libressl") REGRESS_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver} -- 2.20.1