From a21075fee22d6d3b6a0f42eb34acb0f38d976073 Mon Sep 17 00:00:00 2001 From: tb Date: Mon, 30 Oct 2023 17:15:21 +0000 Subject: [PATCH] Add support for OpenSSL 3.1 interop tests Until OpenSSL 3.1 has replaced OpenSSL 3.0 on most architectures, run both tests. Installed packages of OpenSSL 3.0 will update automatically to 3.1, so regress runners should not need to do anything. --- regress/lib/libssl/interop/Makefile | 4 +- regress/lib/libssl/interop/botan/Makefile | 5 ++- regress/lib/libssl/interop/cert/Makefile | 5 ++- regress/lib/libssl/interop/cipher/Makefile | 10 +++-- regress/lib/libssl/interop/netcat/Makefile | 5 ++- regress/lib/libssl/interop/openssl31/Makefile | 43 +++++++++++++++++++ regress/lib/libssl/interop/session/Makefile | 5 ++- regress/lib/libssl/interop/version/Makefile | 8 +++- 8 files changed, 74 insertions(+), 11 deletions(-) create mode 100644 regress/lib/libssl/interop/openssl31/Makefile diff --git a/regress/lib/libssl/interop/Makefile b/regress/lib/libssl/interop/Makefile index 72dc87b5c26..82bef2314d9 100644 --- a/regress/lib/libssl/interop/Makefile +++ b/regress/lib/libssl/interop/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.17 2023/02/01 14:39:09 tb Exp $ +# $OpenBSD: Makefile,v 1.18 2023/10/30 17:15:21 tb Exp $ -SUBDIR = libressl openssl11 openssl30 +SUBDIR = libressl openssl11 openssl30 openssl31 # the above binaries must have been built before we can continue SUBDIR += netcat diff --git a/regress/lib/libssl/interop/botan/Makefile b/regress/lib/libssl/interop/botan/Makefile index 23f8a07bf47..b9570b815af 100644 --- a/regress/lib/libssl/interop/botan/Makefile +++ b/regress/lib/libssl/interop/botan/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.6 2023/02/01 15:58:20 tb Exp $ +# $OpenBSD: Makefile,v 1.7 2023/10/30 17:15:21 tb Exp $ .include @@ -26,6 +26,9 @@ LIBRARIES += openssl11 .if exists(/usr/local/bin/eopenssl30) LIBRARIES += openssl30 .endif +.if exists(/usr/local/bin/eopenssl31) +LIBRARIES += openssl31 +.endif PROGS = client SRCS_client = client.cpp diff --git a/regress/lib/libssl/interop/cert/Makefile b/regress/lib/libssl/interop/cert/Makefile index 47f4422d6e0..ae755be2232 100644 --- a/regress/lib/libssl/interop/cert/Makefile +++ b/regress/lib/libssl/interop/cert/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.10 2023/04/19 15:34:23 tb Exp $ +# $OpenBSD: Makefile,v 1.11 2023/10/30 17:15:21 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or 3.0. Create client and server certificates @@ -13,6 +13,9 @@ LIBRARIES += openssl11 .if exists(/usr/local/bin/eopenssl30) LIBRARIES += openssl30 .endif +.if exists(/usr/local/bin/eopenssl31) +LIBRARIES += openssl31 +.endif .for cca in noca ca fakeca .for sca in noca ca fakeca diff --git a/regress/lib/libssl/interop/cipher/Makefile b/regress/lib/libssl/interop/cipher/Makefile index 85d927a92dc..627cfc8f9f0 100644 --- a/regress/lib/libssl/interop/cipher/Makefile +++ b/regress/lib/libssl/interop/cipher/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.12 2023/04/19 15:34:23 tb Exp $ +# $OpenBSD: Makefile,v 1.13 2023/10/30 17:15:21 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or 3.0. Create lists of supported ciphers @@ -24,6 +24,9 @@ LIBRARIES += openssl11 .if exists(/usr/local/bin/eopenssl30) LIBRARIES += openssl30 .endif +.if exists(/usr/local/bin/eopenssl31) +LIBRARIES += openssl31 +.endif CLEANFILES = *.tmp *.ciphers ciphers.mk @@ -53,7 +56,8 @@ client-${clib}-server-${slib}.ciphers: \ # we are only interested in ciphers supported by libressl sort $@ client-libressl.ciphers >$@.tmp . if "${clib}" == "openssl11" || "${slib}" == "openssl11" || \ - "${clib}" == "openssl30" || "${slib}" == "openssl30" + "${clib}" == "openssl30" || "${slib}" == "openssl30" || \ + "${clib}" == "openssl31" || "${slib}" == "openssl31" # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers sed -i '/^TLS_/d' $@.tmp . endif @@ -145,7 +149,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \ . endif . if "${clib}" == "libressl" # libressl client may prefer chacha-poly if aes-ni is not supported -. if "${slib}" == "openssl11" || "${slib}" == "openssl30" +. if "${slib}" == "openssl11" || "${slib}" == "openssl30" || "${slib}" == "openssl31" egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out . else egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out diff --git a/regress/lib/libssl/interop/netcat/Makefile b/regress/lib/libssl/interop/netcat/Makefile index 9cf10417af0..568c4d255ae 100644 --- a/regress/lib/libssl/interop/netcat/Makefile +++ b/regress/lib/libssl/interop/netcat/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.6 2023/02/01 15:38:57 tb Exp $ +# $OpenBSD: Makefile,v 1.7 2023/10/30 17:15:21 tb Exp $ LIBRARIES = libressl .if exists(/usr/local/bin/eopenssl11) @@ -7,6 +7,9 @@ LIBRARIES += openssl11 .if exists(/usr/local/bin/eopenssl30) LIBRARIES += openssl30 .endif +.if exists(/usr/local/bin/eopenssl31) +LIBRARIES += openssl31 +.endif # run netcat server and connect with test client diff --git a/regress/lib/libssl/interop/openssl31/Makefile b/regress/lib/libssl/interop/openssl31/Makefile new file mode 100644 index 00000000000..8f35fa272f3 --- /dev/null +++ b/regress/lib/libssl/interop/openssl31/Makefile @@ -0,0 +1,43 @@ +# $OpenBSD: Makefile,v 1.1 2023/10/30 17:15:21 tb Exp $ + +.if !exists(/usr/local/bin/eopenssl31) +regress: + # install openssl-3.1 from ports for interop tests + @echo 'Run "pkg_add openssl--%3.1" to run tests against OpenSSL 3.1' + @echo SKIPPED +.else + +PROGS = client server +CPPFLAGS = -I /usr/local/include/eopenssl31 +LDFLAGS = -L /usr/local/lib/eopenssl31 +LDADD = -lssl -lcrypto +DPADD = /usr/local/lib/eopenssl31/libssl.a \ + /usr/local/lib/eopenssl31/libcrypto.a +LD_LIBRARY_PATH = /usr/local/lib/eopenssl31 +REGRESS_TARGETS = run-self-client-server +.for p in ${PROGS} +REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p +.endfor + +.for p in ${PROGS} + +run-ldd-$p: ldd-$p.out + # check that $p is linked with OpenSSL 3.1 + grep -q /usr/local/lib/eopenssl31/libcrypto.so ldd-$p.out + grep -q /usr/local/lib/eopenssl31/libssl.so ldd-$p.out + # check that $p is not linked with LibreSSL + ! grep -v libc.so ldd-$p.out | grep /usr/lib/ + +run-version-$p: $p-self.out + # check that runtime version is OpenSSL 3.1 + grep 'SSLEAY_VERSION: OpenSSL 3.1' $p-self.out + +run-protocol-$p: $p-self.out + # check that OpenSSL 3.1 protocol version is TLS 1.3 + grep 'Protocol *: TLSv1.3' $p-self.out + +.endfor + +.endif # exists(/usr/local/bin/eopenssl31) + +.include diff --git a/regress/lib/libssl/interop/session/Makefile b/regress/lib/libssl/interop/session/Makefile index f5858eaba09..99daa4ba4fa 100644 --- a/regress/lib/libssl/interop/session/Makefile +++ b/regress/lib/libssl/interop/session/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.8 2023/02/01 16:03:47 tb Exp $ +# $OpenBSD: Makefile,v 1.9 2023/10/30 17:15:21 tb Exp $ LIBRARIES = libressl .if exists(/usr/local/bin/eopenssl11) @@ -7,6 +7,9 @@ LIBRARIES += openssl11 .if exists(/usr/local/bin/eopenssl30) #LIBRARIES += openssl30 .endif +.if exists(/usr/local/bin/eopenssl31) +#LIBRARIES += openssl31 +.endif run-session-client-libressl-server-libressl \ run-session-client-libressl-server-openssl11 \ diff --git a/regress/lib/libssl/interop/version/Makefile b/regress/lib/libssl/interop/version/Makefile index c4f7705d638..bb4641afa98 100644 --- a/regress/lib/libssl/interop/version/Makefile +++ b/regress/lib/libssl/interop/version/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.7 2023/07/02 17:21:32 beck Exp $ +# $OpenBSD: Makefile,v 1.8 2023/10/30 17:15:21 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS @@ -13,6 +13,9 @@ LIBRARIES += openssl11 .if exists(/usr/local/bin/eopenssl30) LIBRARIES += openssl30 .endif +.if exists(/usr/local/bin/eopenssl31) +LIBRARIES += openssl31 +.endif VERSIONS = any TLS1_2 TLS1_3 @@ -29,7 +32,8 @@ FAIL_${cver}_${sver} = ! .for slib in ${LIBRARIES} .if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \ - (("${clib}" != openssl30 && "${slib}" != openssl30) || \ + ((("${clib}" != openssl30 && "${slib}" != openssl30) && \ + ("${clib}" != openssl31 && "${slib}" != openssl31)) || \ (("${cver}" != any && "${sver}" != any) && \ ("${cver}" != TLS1 && "${sver}" != TLS1) && \ ("${cver}" != TLS1_1 && "${sver}" != TLS1_1))) -- 2.20.1