diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2025-01-15 10:54:18 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2025-01-15 10:54:18 +0000 |
| commit | 77f7ce38a65f05d5b60a66ad0ac25d23267718cb (patch) | |
| tree | 163aca9f0afca7c2edd958df521b3dcb191c8959 | |
| parent | fbd1782530e8147c9b498f22be3fd71da327d964 (diff) | |
Interop tests for openssl 3.3 and 3.4, retire 3.2, 1.1 (and 3.1 remnants)
OpenSSL 1.1 and 3.2 will be removed from the ports tree, so test the two
remaining versions. Unfortunately, this requires a lot more manual
massaging than there should be.
| -rw-r--r-- | regress/lib/libssl/interop/Makefile | 6 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/botan/Makefile | 13 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/cert/Makefile | 15 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/cipher/Makefile | 25 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/netcat/Makefile | 13 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/openssl11/Makefile | 43 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/openssl31/Makefile | 43 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/openssl32/Makefile | 44 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/openssl33/Makefile | 44 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/openssl34/Makefile | 44 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/session/Makefile | 18 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/version/Makefile | 13 |
12 files changed, 130 insertions, 191 deletions
diff --git a/regress/lib/libssl/interop/Makefile b/regress/lib/libssl/interop/Makefile index 21dfce359de..bdc67f627a8 100644 --- a/regress/lib/libssl/interop/Makefile +++ b/regress/lib/libssl/interop/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.20 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.21 2025/01/15 10:54:17 tb Exp $ -SUBDIR = libressl openssl11 openssl31 openssl32 +SUBDIR = libressl openssl33 openssl34 # the above binaries must have been built before we can continue SUBDIR += netcat @@ -10,7 +10,7 @@ SUBDIR += botan # What is below takes a long time. # setting REGRESS_SKIP_SLOW to "yes" in mk.conf # will skip the tests that do not test libressl -# but do things like test openssl11 to openssl 3 +# but do things like test openssl 3.x to openssl 3.y SUBDIR += version SUBDIR += cipher # This takes a really long time. diff --git a/regress/lib/libssl/interop/botan/Makefile b/regress/lib/libssl/interop/botan/Makefile index e20553012a7..85877d4290b 100644 --- a/regress/lib/libssl/interop/botan/Makefile +++ b/regress/lib/libssl/interop/botan/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.9 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $ .include <bsd.own.mk> @@ -20,14 +20,11 @@ CXX = /usr/local/bin/eg++ .endif LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 +.if exists(/usr/local/bin/eopenssl33) +LIBRARIES += openssl33 .endif -.if exists(/usr/local/bin/eopenssl31) -LIBRARIES += openssl31 -.endif -.if exists(/usr/local/bin/eopenssl32) -LIBRARIES += openssl32 +.if exists(/usr/local/bin/eopenssl34) +LIBRARIES += openssl34 .endif PROGS = client diff --git a/regress/lib/libssl/interop/cert/Makefile b/regress/lib/libssl/interop/cert/Makefile index ab35d03d749..74c63c86a8b 100644 --- a/regress/lib/libssl/interop/cert/Makefile +++ b/regress/lib/libssl/interop/cert/Makefile @@ -1,20 +1,17 @@ -# $OpenBSD: Makefile,v 1.13 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.14 2025/01/15 10:54:17 tb Exp $ # Connect a client to a server. Both can be current libressl, or -# openssl 1.1 or 3.0. Create client and server certificates +# openssl 3.x. Create client and server certificates # that are signed by a CA and not signed by a fake CA. Try all # combinations with, without, and with wrong CA for client and server # and check the result of certificate verification. LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 +.if exists(/usr/local/bin/eopenssl33) +LIBRARIES += openssl33 .endif -.if exists(/usr/local/bin/eopenssl31) -LIBRARIES += openssl31 -.endif -.if exists(/usr/local/bin/eopenssl32) -LIBRARIES += openssl32 +.if exists(/usr/local/bin/eopenssl34) +LIBRARIES += openssl34 .endif .for cca in noca ca fakeca diff --git a/regress/lib/libssl/interop/cipher/Makefile b/regress/lib/libssl/interop/cipher/Makefile index bf4a1e28dca..fa7e25f9ee9 100644 --- a/regress/lib/libssl/interop/cipher/Makefile +++ b/regress/lib/libssl/interop/cipher/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.16 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.17 2025/01/15 10:54:17 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or 3.0. Create lists of supported ciphers @@ -7,14 +7,11 @@ # have used correct cipher by grepping in their session print out. LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 +.if exists(/usr/local/bin/eopenssl33) +LIBRARIES += openssl33 .endif -.if exists(/usr/local/bin/eopenssl31) -LIBRARIES += openssl31 -.endif -.if exists(/usr/local/bin/eopenssl32) -LIBRARIES += openssl32 +.if exists(/usr/local/bin/eopenssl34) +LIBRARIES += openssl34 .endif CLEANFILES = *.tmp *.ciphers ciphers.mk @@ -44,9 +41,8 @@ client-${clib}-server-${slib}.ciphers: \ uniq -d <$@.tmp >$@ # we are only interested in ciphers supported by libressl sort $@ client-libressl.ciphers >$@.tmp -. if "${clib}" == "openssl11" || "${slib}" == "openssl11" || \ - "${clib}" == "openssl31" || "${slib}" == "openssl31" || \ - "${clib}" == "openssl32" || "${slib}" == "openssl32" +. if "${clib}" == "openssl33" || "${slib}" == "openssl33" || \ + "${clib}" == "openssl34" || "${slib}" == "openssl34" # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers sed -i '/^TLS_/d' $@.tmp . endif @@ -74,9 +70,8 @@ regress: ciphers.mk .endif LEVEL_libressl = -LEVEL_openssl11 = ,@SECLEVEL=0 -LEVEL_openssl31 = ,@SECLEVEL=0 -LEVEL_openssl32 = ,@SECLEVEL=0 +LEVEL_openssl33 = ,@SECLEVEL=0 +LEVEL_openssl34 = ,@SECLEVEL=0 .for clib in ${LIBRARIES} .for slib in ${LIBRARIES} @@ -137,7 +132,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \ . endif . if "${clib}" == "libressl" # libressl client may prefer chacha-poly if aes-ni is not supported -. if "${slib}" == "openssl11" || "${slib}" == "openssl31" || "${slib}" == "openssl32" +. if "${slib}" == "openssl33" || "${slib}" == "openssl34" egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out . else egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out diff --git a/regress/lib/libssl/interop/netcat/Makefile b/regress/lib/libssl/interop/netcat/Makefile index ee6fc7e103b..3b8e3f95bea 100644 --- a/regress/lib/libssl/interop/netcat/Makefile +++ b/regress/lib/libssl/interop/netcat/Makefile @@ -1,14 +1,11 @@ -# $OpenBSD: Makefile,v 1.9 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $ LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 +.if exists(/usr/local/bin/eopenssl33) +LIBRARIES += openssl33 .endif -.if exists(/usr/local/bin/eopenssl31) -LIBRARIES += openssl31 -.endif -.if exists(/usr/local/bin/eopenssl32) -LIBRARIES += openssl32 +.if exists(/usr/local/bin/eopenssl34) +LIBRARIES += openssl34 .endif # run netcat server and connect with test client diff --git a/regress/lib/libssl/interop/openssl11/Makefile b/regress/lib/libssl/interop/openssl11/Makefile deleted file mode 100644 index 27e73549255..00000000000 --- a/regress/lib/libssl/interop/openssl11/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# $OpenBSD: Makefile,v 1.8 2021/12/02 17:10:53 kn Exp $ - -.if ! exists(/usr/local/bin/eopenssl11) -regress: - # install openssl-1.1 from ports for interop tests - @echo 'Run "pkg_add openssl--%1.1" to run tests against OpenSSL 1.1' - @echo SKIPPED -.else - -PROGS = client server -CPPFLAGS = -I /usr/local/include/eopenssl11 -LDFLAGS = -L /usr/local/lib/eopenssl11 -LDADD = -lssl -lcrypto -DPADD = /usr/local/lib/eopenssl11/libssl.a \ - /usr/local/lib/eopenssl11/libcrypto.a -LD_LIBRARY_PATH = /usr/local/lib/eopenssl11 -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with OpenSSL 1.1 - grep -q /usr/local/lib/eopenssl11/libcrypto.so ldd-$p.out - grep -q /usr/local/lib/eopenssl11/libssl.so ldd-$p.out - # check that $p is not linked with LibreSSL - ! grep -v libc.so ldd-$p.out | grep /usr/lib/ - -run-version-$p: $p-self.out - # check that runtime version is OpenSSL 1.1 - grep 'SSLEAY_VERSION: OpenSSL 1.1' $p-self.out - -run-protocol-$p: $p-self.out - # check that OpenSSL 1.1 protocol version is TLS 1.3 - grep 'Protocol *: TLSv1.3' $p-self.out - -.endfor - -.endif # exists(/usr/local/bin/eopenssl11) - -.include <bsd.regress.mk> diff --git a/regress/lib/libssl/interop/openssl31/Makefile b/regress/lib/libssl/interop/openssl31/Makefile deleted file mode 100644 index 8f35fa272f3..00000000000 --- a/regress/lib/libssl/interop/openssl31/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# $OpenBSD: Makefile,v 1.1 2023/10/30 17:15:21 tb Exp $ - -.if !exists(/usr/local/bin/eopenssl31) -regress: - # install openssl-3.1 from ports for interop tests - @echo 'Run "pkg_add openssl--%3.1" to run tests against OpenSSL 3.1' - @echo SKIPPED -.else - -PROGS = client server -CPPFLAGS = -I /usr/local/include/eopenssl31 -LDFLAGS = -L /usr/local/lib/eopenssl31 -LDADD = -lssl -lcrypto -DPADD = /usr/local/lib/eopenssl31/libssl.a \ - /usr/local/lib/eopenssl31/libcrypto.a -LD_LIBRARY_PATH = /usr/local/lib/eopenssl31 -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with OpenSSL 3.1 - grep -q /usr/local/lib/eopenssl31/libcrypto.so ldd-$p.out - grep -q /usr/local/lib/eopenssl31/libssl.so ldd-$p.out - # check that $p is not linked with LibreSSL - ! grep -v libc.so ldd-$p.out | grep /usr/lib/ - -run-version-$p: $p-self.out - # check that runtime version is OpenSSL 3.1 - grep 'SSLEAY_VERSION: OpenSSL 3.1' $p-self.out - -run-protocol-$p: $p-self.out - # check that OpenSSL 3.1 protocol version is TLS 1.3 - grep 'Protocol *: TLSv1.3' $p-self.out - -.endfor - -.endif # exists(/usr/local/bin/eopenssl31) - -.include <bsd.regress.mk> diff --git a/regress/lib/libssl/interop/openssl32/Makefile b/regress/lib/libssl/interop/openssl32/Makefile deleted file mode 100644 index 87255138ffd..00000000000 --- a/regress/lib/libssl/interop/openssl32/Makefile +++ /dev/null @@ -1,44 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2024/10/22 16:31:10 tb Exp $ - -.if ! exists(/usr/local/bin/eopenssl32) -regress: - # install openssl-3.2 ports for interop tests - @echo 'Run "pkg_add openssl--%3.2" to run tests against OpenSSL 3.2' - @echo SKIPPED -.else - -PROGS = client server -CFLAGS += -DOPENSSL_SUPPRESS_DEPRECATED -CPPFLAGS = -I /usr/local/include/eopenssl32 -LDFLAGS = -L /usr/local/lib/eopenssl32 -LDADD = -lssl -lcrypto -DPADD = /usr/local/lib/eopenssl32/libssl.a \ - /usr/local/lib/eopenssl32/libcrypto.a -LD_LIBRARY_PATH = /usr/local/lib/eopenssl32 -REGRESS_TARGETS = run-self-client-server -.for p in ${PROGS} -REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p -.endfor - -.for p in ${PROGS} - -run-ldd-$p: ldd-$p.out - # check that $p is linked with OpenSSL 3.2 - grep -q /usr/local/lib/eopenssl32/libcrypto.so ldd-$p.out - grep -q /usr/local/lib/eopenssl32/libssl.so ldd-$p.out - # check that $p is not linked with LibreSSL - ! grep -v libc.so ldd-$p.out | grep /usr/lib/ - -run-version-$p: $p-self.out - # check that runtime version is OpenSSL 3.2 - grep 'SSLEAY_VERSION: OpenSSL 3.2' $p-self.out - -run-protocol-$p: $p-self.out - # check that OpenSSL 3.2 protocol version is TLS 1.3 - grep 'Protocol *: TLSv1.3' $p-self.out - -.endfor - -.endif # exists(/usr/local/bin/eopenssl32) - -.include <bsd.regress.mk> diff --git a/regress/lib/libssl/interop/openssl33/Makefile b/regress/lib/libssl/interop/openssl33/Makefile new file mode 100644 index 00000000000..eff61704d02 --- /dev/null +++ b/regress/lib/libssl/interop/openssl33/Makefile @@ -0,0 +1,44 @@ +# $OpenBSD: Makefile,v 1.1 2025/01/15 10:54:17 tb Exp $ + +.if ! exists(/usr/local/bin/eopenssl33) +regress: + # install openssl-3.3 from ports for interop tests + @echo 'Run "pkg_add openssl--%3.3" to run tests against OpenSSL 3.3' + @echo SKIPPED +.else + +PROGS = client server +CFLAGS += -DOPENSSL_SUPPRESS_DEPRECATED +CPPFLAGS = -I /usr/local/include/eopenssl33 +LDFLAGS = -L /usr/local/lib/eopenssl33 +LDADD = -lssl -lcrypto +DPADD = /usr/local/lib/eopenssl33/libssl.a \ + /usr/local/lib/eopenssl33/libcrypto.a +LD_LIBRARY_PATH = /usr/local/lib/eopenssl33 +REGRESS_TARGETS = run-self-client-server +.for p in ${PROGS} +REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p +.endfor + +.for p in ${PROGS} + +run-ldd-$p: ldd-$p.out + # check that $p is linked with OpenSSL 3.3 + grep -q /usr/local/lib/eopenssl33/libcrypto.so ldd-$p.out + grep -q /usr/local/lib/eopenssl33/libssl.so ldd-$p.out + # check that $p is not linked with LibreSSL + ! grep -v libc.so ldd-$p.out | grep /usr/lib/ + +run-version-$p: $p-self.out + # check that runtime version is OpenSSL 3.3 + grep 'SSLEAY_VERSION: OpenSSL 3.3' $p-self.out + +run-protocol-$p: $p-self.out + # check that OpenSSL 3.3 protocol version is TLS 1.3 + grep 'Protocol *: TLSv1.3' $p-self.out + +.endfor + +.endif # exists(/usr/local/bin/eopenssl33) + +.include <bsd.regress.mk> diff --git a/regress/lib/libssl/interop/openssl34/Makefile b/regress/lib/libssl/interop/openssl34/Makefile new file mode 100644 index 00000000000..72246bb621e --- /dev/null +++ b/regress/lib/libssl/interop/openssl34/Makefile @@ -0,0 +1,44 @@ +# $OpenBSD: Makefile,v 1.1 2025/01/15 10:54:17 tb Exp $ + +.if ! exists(/usr/local/bin/eopenssl34) +regress: + # install openssl-3.4 from ports for interop tests + @echo 'Run "pkg_add openssl--%3.4" to run tests against OpenSSL 3.4' + @echo SKIPPED +.else + +PROGS = client server +CFLAGS += -DOPENSSL_SUPPRESS_DEPRECATED +CPPFLAGS = -I /usr/local/include/eopenssl34 +LDFLAGS = -L /usr/local/lib/eopenssl34 +LDADD = -lssl -lcrypto +DPADD = /usr/local/lib/eopenssl34/libssl.a \ + /usr/local/lib/eopenssl34/libcrypto.a +LD_LIBRARY_PATH = /usr/local/lib/eopenssl34 +REGRESS_TARGETS = run-self-client-server +.for p in ${PROGS} +REGRESS_TARGETS += run-ldd-$p run-version-$p run-protocol-$p +.endfor + +.for p in ${PROGS} + +run-ldd-$p: ldd-$p.out + # check that $p is linked with OpenSSL 3.4 + grep -q /usr/local/lib/eopenssl34/libcrypto.so ldd-$p.out + grep -q /usr/local/lib/eopenssl34/libssl.so ldd-$p.out + # check that $p is not linked with LibreSSL + ! grep -v libc.so ldd-$p.out | grep /usr/lib/ + +run-version-$p: $p-self.out + # check that runtime version is OpenSSL 3.4 + grep 'SSLEAY_VERSION: OpenSSL 3.4' $p-self.out + +run-protocol-$p: $p-self.out + # check that OpenSSL 3.4 protocol version is TLS 1.3 + grep 'Protocol *: TLSv1.3' $p-self.out + +.endfor + +.endif # exists(/usr/local/bin/eopenssl34) + +.include <bsd.regress.mk> diff --git a/regress/lib/libssl/interop/session/Makefile b/regress/lib/libssl/interop/session/Makefile index ab6503c97f9..e9a353f99e7 100644 --- a/regress/lib/libssl/interop/session/Makefile +++ b/regress/lib/libssl/interop/session/Makefile @@ -1,20 +1,14 @@ -# $OpenBSD: Makefile,v 1.11 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.12 2025/01/15 10:54:17 tb Exp $ LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 +.if exists(/usr/local/bin/eopenssl33) +#LIBRARIES += openssl33 .endif -.if exists(/usr/local/bin/eopenssl31) -#LIBRARIES += openssl31 -.endif -.if exists(/usr/local/bin/eopenssl32) -#LIBRARIES += openssl32 +.if exists(/usr/local/bin/eopenssl34) +#LIBRARIES += openssl34 .endif -run-session-client-libressl-server-libressl \ -run-session-client-libressl-server-openssl11 \ -run-session-client-openssl11-server-libressl \ -run-session-client-openssl11-server-openssl11: +run-session-client-libressl-server-libressl: # TLS 1.3 needs some extra setup for session reuse @echo DISABLED diff --git a/regress/lib/libssl/interop/version/Makefile b/regress/lib/libssl/interop/version/Makefile index aa5883fa2dd..605fba252f6 100644 --- a/regress/lib/libssl/interop/version/Makefile +++ b/regress/lib/libssl/interop/version/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.9 2024/08/18 10:02:10 tb Exp $ +# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $ # Connect a client to a server. Both can be current libressl, or # openssl 1.1 or openssl 3.0. Pin client or server to a fixed TLS @@ -7,11 +7,11 @@ # print out. LIBRARIES = libressl -.if exists(/usr/local/bin/eopenssl11) -LIBRARIES += openssl11 +.if exists(/usr/local/bin/eopenssl33) +LIBRARIES += openssl33 .endif -.if exists(/usr/local/bin/eopenssl31) -LIBRARIES += openssl31 +.if exists(/usr/local/bin/eopenssl34) +LIBRARIES += openssl34 .endif VERSIONS = any TLS1_2 TLS1_3 @@ -29,7 +29,8 @@ FAIL_${cver}_${sver} = ! .for slib in ${LIBRARIES} .if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \ - ((("${clib}" != openssl31 && "${slib}" != openssl31)) || \ + ((("${clib}" != openssl33 && "${slib}" != openssl33)) || \ + (("${clib}" != openssl34 && "${slib}" != openssl34)) || \ (("${cver}" != any && "${sver}" != any) && \ ("${cver}" != TLS1 && "${sver}" != TLS1) && \ ("${cver}" != TLS1_1 && "${sver}" != TLS1_1))) |