From 562d56f41518b327c77351609646053d402a7b92 Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 1 Feb 2023 14:39:09 +0000 Subject: [PATCH] Retire OpenSSL 1.0.2 interop Now that the OpenSSL 1.0.2 port is gone, there's no need to keep the interop tests anymore. anton's and bluhm's regress tests will switch to testing interoperability with OpenSSL 3.0. --- regress/lib/libssl/interop/Makefile | 6 +-- regress/lib/libssl/interop/README | 6 +-- regress/lib/libssl/interop/cert/Makefile | 7 +--- regress/lib/libssl/interop/cipher/Makefile | 16 ++------ regress/lib/libssl/interop/openssl/Makefile | 43 --------------------- regress/lib/libssl/interop/server.c | 13 +------ regress/lib/libssl/interop/version/Makefile | 15 ++----- 7 files changed, 13 insertions(+), 93 deletions(-) delete mode 100644 regress/lib/libssl/interop/openssl/Makefile diff --git a/regress/lib/libssl/interop/Makefile b/regress/lib/libssl/interop/Makefile index 2f6b165ae65..72dc87b5c26 100644 --- a/regress/lib/libssl/interop/Makefile +++ b/regress/lib/libssl/interop/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.16 2023/01/27 08:28:36 tb Exp $ +# $OpenBSD: Makefile,v 1.17 2023/02/01 14:39:09 tb Exp $ -SUBDIR = libressl openssl openssl11 openssl30 +SUBDIR = libressl openssl11 openssl30 # the above binaries must have been built before we can continue SUBDIR += netcat @@ -10,7 +10,7 @@ SUBDIR += botan # What is below takes a long time. # setting REGRESS_SKIP_SLOW to "yes" in mk.conf # will skip the tests that do not test libressl -# but do things like test openssl to openssl11 +# but do things like test openssl11 to openssl30 SUBDIR += version SUBDIR += cipher # This takes a really long time. diff --git a/regress/lib/libssl/interop/README b/regress/lib/libssl/interop/README index 54910e554de..091e63f6fc7 100644 --- a/regress/lib/libssl/interop/README +++ b/regress/lib/libssl/interop/README @@ -1,17 +1,13 @@ Test TLS interoperability between LibreSSL and OpenSSL. Implement simple SSL client and server in C. Create six binaries -by linking them with LibreSSL or OpenSSL 1.0.2 or OpenSSL 1.1. This +by linking them with LibreSSL or OpenSSL 1.1 or OpenSSL 3.0. This way API compatibility is tested. To self test each SSL library, connect client with server. Check that the highest available TLS version is selected. LibreSSL TLS 1.3 check has to be enabled when the feature becomes available. -Currently OpenSSL 1.0.2p and OpenSSL 1.1.1 from ports are used. As -soon as LibreSSL supports TLS 1.3, it should be used automatically -when netcat is communicating with OpenSSL 1.1. - Connect and accept with netcat to test protocol compatibility with libtls. Test TLS session reuse multiple times with different library combinations. The cert subdir is testing all combinations of diff --git a/regress/lib/libssl/interop/cert/Makefile b/regress/lib/libssl/interop/cert/Makefile index 6156a988ae7..32b7a4f4f11 100644 --- a/regress/lib/libssl/interop/cert/Makefile +++ b/regress/lib/libssl/interop/cert/Makefile @@ -1,15 +1,12 @@ -# $OpenBSD: Makefile,v 1.8 2023/01/27 08:28:36 tb Exp $ +# $OpenBSD: Makefile,v 1.9 2023/02/01 14:39:09 tb Exp $ # Connect a client to a server. Both can be current libressl, or -# openssl 1.0.2, 1.1, or 3.0. Create client and server certificates +# openssl 1.1 or 3.0. Create client and server certificates # that are signed by a CA and not signed by a fake CA. Try all # combinations with, without, and with wrong CA for client and server # and check the result of certificate verification. LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl) -LIBRARIES += openssl -.endif .if exists(/usr/local/bin/eopenssl11) LIBRARIES += openssl11 .endif diff --git a/regress/lib/libssl/interop/cipher/Makefile b/regress/lib/libssl/interop/cipher/Makefile index 46951f67821..3cb4330d311 100644 --- a/regress/lib/libssl/interop/cipher/Makefile +++ b/regress/lib/libssl/interop/cipher/Makefile @@ -1,7 +1,7 @@ -# $OpenBSD: Makefile,v 1.10 2023/01/27 08:28:36 tb Exp $ +# $OpenBSD: Makefile,v 1.11 2023/02/01 14:39:09 tb Exp $ # Connect a client to a server. Both can be current libressl, or -# openssl 1.0.2, 1.1, or 3.0. Create lists of supported ciphers +# openssl 1.1 or 3.0. Create lists of supported ciphers # and pin client and server to one of the ciphers. Use server # certificate with compatible type. Check that client and server # have used correct cipher by grepping in their session print out. @@ -18,9 +18,6 @@ check-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl: @echo DISABLED LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl) -LIBRARIES += openssl -.endif .if exists(/usr/local/bin/eopenssl11) LIBRARIES += openssl11 .endif @@ -84,7 +81,6 @@ regress: ciphers.mk .endif LEVEL_libressl = -LEVEL_openssl = LEVEL_openssl11 = ,@SECLEVEL=0 LEVEL_openssl30 = ,@SECLEVEL=0 @@ -104,12 +100,7 @@ TYPE_${cipher} = rsa TYPE_${cipher} = 127.0.0.1 .endif -.if "${slib}" == "openssl" && \ - "${cipher:MADH-*}${cipher:MEDH-*}${cipher:MDHE-*}" != "" -DHPARAM_${cipher}_${slib} = -p dh.param -.else DHPARAM_${cipher}_${slib} = -.endif .if ("${clib}" == "libressl" || "${slib}" == "libressl") REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib} @@ -141,8 +132,7 @@ REGRESS_SLOW_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib} check-cipher-${cipher}-client-${clib}-server-${slib}: \ client-cipher-${cipher}-client-${clib}-server-${slib}.out \ server-cipher-${cipher}-client-${clib}-server-${slib}.out -.if "${clib}" != "openssl" && "${slib}" != "openssl" && \ - "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3 +.if "${cipher:C/TLS_(AES.*_GCM|CHACHA.*_POLY.*)_SHA.*/TLS1_3/}" != TLS1_3 # client and server 1.3 capable, not TLS 1.3 cipher . if "${clib}" == "libressl" # libressl client may prefer chacha-poly if aes-ni is not supported diff --git a/regress/lib/libssl/interop/openssl/Makefile b/regress/lib/libssl/interop/openssl/Makefile deleted file mode 100644 index 53c51a83eef..00000000000 --- a/regress/lib/libssl/interop/openssl/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# $OpenBSD: Makefile,v 1.9 2021/12/02 17:10:53 kn Exp $ - -.if ! exists(/usr/local/bin/eopenssl) -regress: - # install openssl-1.0.2 from ports for interop tests - @echo 'Run "pkg_add openssl--%1.0.2" to run tests against OpenSSL 1.0.2' - @echo SKIPPED -.else - -PROGS = client server -CPPFLAGS = -I /usr/local/include/eopenssl -LDFLAGS = -L /usr/local/lib/eopenssl -LDADD = -lssl -lcrypto -DPADD = /usr/local/lib/eopenssl/libssl.a \ - /usr/local/lib/eopenssl/libcrypto.a -LD_LIBRARY_PATH = /usr/local/lib/eopenssl -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with OpenSSL - grep -q /usr/local/lib/eopenssl/libcrypto.so ldd-$p.out - grep -q /usr/local/lib/eopenssl/libssl.so ldd-$p.out - # check that $p is not linked with LibreSSL - ! grep -v libc.so ldd-$p.out | grep /usr/lib/ - -run-version-$p: $p-self.out - # check that runtime version is OpenSSL 1.0.2 - grep 'SSLEAY_VERSION: OpenSSL 1.0.2' $p-self.out - -run-protocol-$p: $p-self.out - # check that OpenSSL 1.0.2 protocol version is TLS 1.2 - grep 'Protocol *: TLSv1.2' $p-self.out - -.endfor - -.endif # exists(/usr/local/bin/eopenssl) - -.include diff --git a/regress/lib/libssl/interop/server.c b/regress/lib/libssl/interop/server.c index c8e4cb7fc30..a634adb43ba 100644 --- a/regress/lib/libssl/interop/server.c +++ b/regress/lib/libssl/interop/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.11 2022/07/07 13:12:57 tb Exp $ */ +/* $OpenBSD: server.c,v 1.12 2023/02/01 14:39:09 tb Exp $ */ /* * Copyright (c) 2018-2019 Alexander Bluhm * @@ -85,10 +85,8 @@ main(int argc, char *argv[]) version = TLS1_1_VERSION; } else if (strcmp(optarg, "TLS1_2") == 0) { version = TLS1_2_VERSION; -#ifdef TLS1_3_VERSION } else if (strcmp(optarg, "TLS1_3") == 0) { version = TLS1_3_VERSION; -#endif } else { errx(1, "unknown protocol version: %s", optarg); } @@ -184,10 +182,6 @@ main(int argc, char *argv[]) fclose(file); } - /* needed when linking with OpenSSL 1.0.2p */ - if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0) - err_ssl(1, "SSL_CTX_set_ecdh_auto"); - /* load server certificate */ if (SSL_CTX_use_certificate_file(ctx, crt, SSL_FILETYPE_PEM) <= 0) err_ssl(1, "SSL_CTX_use_certificate_file"); @@ -231,9 +225,6 @@ main(int argc, char *argv[]) if (listciphers) { STACK_OF(SSL_CIPHER) *supported_ciphers; -#if OPENSSL_VERSION_NUMBER < 0x1010000f -#define SSL_get1_supported_ciphers SSL_get_ciphers -#endif ssl = SSL_new(ctx); if (ssl == NULL) err_ssl(1, "SSL_new"); @@ -242,9 +233,7 @@ main(int argc, char *argv[]) err_ssl(1, "SSL_get1_supported_ciphers"); print_ciphers(supported_ciphers); -#if OPENSSL_VERSION_NUMBER >= 0x1010000f sk_SSL_CIPHER_free(supported_ciphers); -#endif return 0; } diff --git a/regress/lib/libssl/interop/version/Makefile b/regress/lib/libssl/interop/version/Makefile index 7b1be9a3edf..1e0af57a66b 100644 --- a/regress/lib/libssl/interop/version/Makefile +++ b/regress/lib/libssl/interop/version/Makefile @@ -1,15 +1,12 @@ -# $OpenBSD: Makefile,v 1.4 2023/01/27 08:28:36 tb Exp $ +# $OpenBSD: Makefile,v 1.5 2023/02/01 14:39:09 tb Exp $ # Connect a client to a server. Both can be current libressl, or -# openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS +# openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS # version number. Incompatible versions must fail. Check that client # and server have used correct version by grepping in their session # print out. LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl) -LIBRARIES += openssl -.endif .if exists(/usr/local/bin/eopenssl11) LIBRARIES += openssl11 .endif @@ -31,8 +28,7 @@ FAIL_${cver}_${sver} = ! .for clib in ${LIBRARIES} .for slib in ${LIBRARIES} -.if (("${clib}" != openssl && "${slib}" != openssl) || \ - ("${cver}" != TLS1_3 && "${sver}" != TLS1_3)) && \ +.if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \ (("${clib}" != openssl30 && "${slib}" != openssl30) || \ (("${cver}" != any && "${sver}" != any) && \ ("${cver}" != TLS1 && "${sver}" != TLS1) && \ @@ -79,13 +75,8 @@ check-version-client-${clib}-${cver}-server-${slib}-${sver}: \ @grep ' Protocol *: ' ${@:S/^check/server/}.out .if "${cver}" == any .if "${sver}" == any -.if "${clib}" == openssl || "${slib}" == openssl - grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/client/}.out - grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/server/}.out -.else grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out -.endif .else grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \ ${@:S/^check/client/}.out -- 2.20.1