diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2020-09-14 00:51:05 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2020-09-14 00:51:05 +0000 |
| commit | fe8275e2744e8e1741ce2d31918f458d8f4c0aa7 (patch) | |
| tree | f0417374db2feae9f0882ba5651b9b7f0672dd12 /regress/lib | |
| parent | cb51c3adb97cda6656f3ebed387a4ce278bdd1eb (diff) | |
Connect a client to a server. Both can be current libressl, or
openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS
version number. Incompatible versions must fail. Check that client
and server have used correct version by grepping in their session
print out.
Diffstat (limited to 'regress/lib')
| -rw-r--r-- | regress/lib/libssl/interop/Makefile | 3 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/client.c | 50 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/libressl/Makefile | 3 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/server.c | 50 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/version/Makefile | 97 |
5 files changed, 193 insertions, 10 deletions
diff --git a/regress/lib/libssl/interop/Makefile b/regress/lib/libssl/interop/Makefile index 5ad9041276a..cf06d8c0226 100644 --- a/regress/lib/libssl/interop/Makefile +++ b/regress/lib/libssl/interop/Makefile @@ -1,10 +1,11 @@ -# $OpenBSD: Makefile,v 1.10 2020/09/11 22:48:00 bluhm Exp $ +# $OpenBSD: Makefile,v 1.11 2020/09/14 00:51:04 bluhm Exp $ SUBDIR = libressl openssl openssl11 # the above binaries must have been built before we can continue SUBDIR += cert SUBDIR += cipher +SUBDIR += version SUBDIR += netcat SUBDIR += session diff --git a/regress/lib/libssl/interop/client.c b/regress/lib/libssl/interop/client.c index 6a85e35c929..a8e66c28760 100644 --- a/regress/lib/libssl/interop/client.c +++ b/regress/lib/libssl/interop/client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: client.c,v 1.9 2020/09/11 22:48:00 bluhm Exp $ */ +/* $OpenBSD: client.c,v 1.10 2020/09/14 00:51:04 bluhm Exp $ */ /* * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org> * @@ -35,7 +35,7 @@ void __dead usage(void) { fprintf(stderr, "usage: client [-Lsv] [-C CA] [-c crt -k key] " - "[-l ciphers] host port\n"); + "[-l ciphers] [-V version] host port\n"); exit(2); } @@ -48,11 +48,12 @@ main(int argc, char *argv[]) BIO *bio; SSL_SESSION *session = NULL; int ch, error, listciphers = 0, sessionreuse = 0, verify = 0; + int version = 0; char buf[256]; char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL; char *host_port, *host = "127.0.0.1", *port = "0"; - while ((ch = getopt(argc, argv, "C:c:k:Ll:sv")) != -1) { + while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) { switch (ch) { case 'C': ca = optarg; @@ -73,6 +74,21 @@ main(int argc, char *argv[]) /* multiple reueses are possible */ sessionreuse++; break; + case 'V': + if (strcmp(optarg, "TLS1") == 0) { + version = TLS1_VERSION; + } else if (strcmp(optarg, "TLS1_1") == 0) { + version = TLS1_1_VERSION; + } else if (strcmp(optarg, "TLS1_2") == 0) { + version = TLS1_2_VERSION; +#ifdef TLS1_3_VERSION + } else if (strcmp(optarg, "TLS1_3") == 0) { + version = TLS1_3_VERSION; +#endif + } else { + errx(1, "unknown protocol version: %s", optarg); + } + break; case 'v': verify = 1; break; @@ -104,7 +120,24 @@ main(int argc, char *argv[]) if (method == NULL) err_ssl(1, "TLS_client_method"); #else - method = SSLv23_client_method(); + switch (version) { + case TLS1_VERSION: + method = TLSv1_client_method(); + break; + case TLS1_1_VERSION: + method = TLSv1_1_client_method(); + break; + case TLS1_2_VERSION: + method = TLSv1_2_client_method(); + break; +#ifdef TLS1_3_VERSION + case TLS1_3_VERSION: + err(1, "TLS1_3 not supported"); +#endif + default: + method = SSLv23_client_method(); + break; + } if (method == NULL) err_ssl(1, "SSLv23_client_method"); #endif @@ -112,6 +145,15 @@ main(int argc, char *argv[]) if (ctx == NULL) err_ssl(1, "SSL_CTX_new"); +#if OPENSSL_VERSION_NUMBER >= 0x1010000f + if (version) { + if (SSL_CTX_set_min_proto_version(ctx, version) != 1) + err_ssl(1, "SSL_CTX_set_min_proto_version"); + if (SSL_CTX_set_max_proto_version(ctx, version) != 1) + err_ssl(1, "SSL_CTX_set_max_proto_version"); + } +#endif + /* load client certificate */ if (crt != NULL) { if (SSL_CTX_use_certificate_file(ctx, crt, diff --git a/regress/lib/libssl/interop/libressl/Makefile b/regress/lib/libssl/interop/libressl/Makefile index 16ec8cf086e..d19e6eb306a 100644 --- a/regress/lib/libssl/interop/libressl/Makefile +++ b/regress/lib/libssl/interop/libressl/Makefile @@ -1,6 +1,7 @@ -# $OpenBSD: Makefile,v 1.6 2020/05/11 18:20:24 jsing Exp $ +# $OpenBSD: Makefile,v 1.7 2020/09/14 00:51:04 bluhm Exp $ PROGS = client server +CFLAGS = -DLIBRESSL_HAS_TLS1_3 CPPFLAGS = LDFLAGS = LDADD = -lssl -lcrypto diff --git a/regress/lib/libssl/interop/server.c b/regress/lib/libssl/interop/server.c index 67238174986..4b9dd0f5069 100644 --- a/regress/lib/libssl/interop/server.c +++ b/regress/lib/libssl/interop/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.8 2019/03/21 17:52:26 bluhm Exp $ */ +/* $OpenBSD: server.c,v 1.9 2020/09/14 00:51:04 bluhm Exp $ */ /* * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org> * @@ -36,7 +36,7 @@ void __dead usage(void) { fprintf(stderr, "usage: server [-Lsvv] [-C CA] [-c crt -k key] " - "[-l ciphers] [-p dhparam] [host port]\n"); + "[-l ciphers] [-p dhparam] [-V version] [host port]\n"); exit(2); } @@ -49,11 +49,12 @@ main(int argc, char *argv[]) BIO *abio, *cbio; SSL_SESSION *session; int ch, error, listciphers = 0, sessionreuse = 0, verify = 0; + int version = 0; char buf[256], *dhparam = NULL; char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL; char *host_port, *host = "127.0.0.1", *port = "0"; - while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sv")) != -1) { + while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sV:v")) != -1) { switch (ch) { case 'C': ca = optarg; @@ -77,6 +78,21 @@ main(int argc, char *argv[]) /* multiple reueses are possible */ sessionreuse++; break; + case 'V': + if (strcmp(optarg, "TLS1") == 0) { + version = TLS1_VERSION; + } else if (strcmp(optarg, "TLS1_1") == 0) { + version = TLS1_1_VERSION; + } else if (strcmp(optarg, "TLS1_2") == 0) { + version = TLS1_2_VERSION; +#ifdef TLS1_3_VERSION + } else if (strcmp(optarg, "TLS1_3") == 0) { + version = TLS1_3_VERSION; +#endif + } else { + errx(1, "unknown protocol version: %s", optarg); + } + break; case 'v': /* use twice to force client cert */ verify++; @@ -113,7 +129,24 @@ main(int argc, char *argv[]) if (method == NULL) err_ssl(1, "TLS_server_method"); #else - method = SSLv23_server_method(); + switch (version) { + case TLS1_VERSION: + method = TLSv1_server_method(); + break; + case TLS1_1_VERSION: + method = TLSv1_1_server_method(); + break; + case TLS1_2_VERSION: + method = TLSv1_2_server_method(); + break; +#ifdef TLS1_3_VERSION + case TLS1_3_VERSION: + err(1, "TLS1_3 not supported"); +#endif + default: + method = SSLv23_server_method(); + break; + } if (method == NULL) err_ssl(1, "SSLv23_server_method"); #endif @@ -121,6 +154,15 @@ main(int argc, char *argv[]) if (ctx == NULL) err_ssl(1, "SSL_CTX_new"); +#if OPENSSL_VERSION_NUMBER >= 0x1010000f + if (version) { + if (SSL_CTX_set_min_proto_version(ctx, version) != 1) + err_ssl(1, "SSL_CTX_set_min_proto_version"); + if (SSL_CTX_set_max_proto_version(ctx, version) != 1) + err_ssl(1, "SSL_CTX_set_max_proto_version"); + } +#endif + #if OPENSSL_VERSION_NUMBER >= 0x10100000 /* needed to use DHE cipher with libressl */ if (SSL_CTX_set_dh_auto(ctx, 1) <= 0) diff --git a/regress/lib/libssl/interop/version/Makefile b/regress/lib/libssl/interop/version/Makefile new file mode 100644 index 00000000000..0f1d891f34c --- /dev/null +++ b/regress/lib/libssl/interop/version/Makefile @@ -0,0 +1,97 @@ +# $OpenBSD: Makefile,v 1.1 2020/09/14 00:51:04 bluhm Exp $ + +# Connect a client to a server. Both can be current libressl, or +# openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS +# version number. Incompatible versions must fail. Check that client +# and server have used correct version by grepping in their session +# print out. + +LIBRARIES = libressl +.if exists(/usr/local/bin/eopenssl) +LIBRARIES += openssl +.endif +.if exists(/usr/local/bin/eopenssl11) +LIBRARIES += openssl11 +.endif + +VERSIONS = any TLS1 TLS1_1 TLS1_2 TLS1_3 + +.for cver in ${VERSIONS} +.for sver in ${VERSIONS} + +.if "${cver}" == any || "${sver}" == any || "${cver}" == "${sver}" +FAIL_${cver}_${sver} = +.else +FAIL_${cver}_${sver} = ! +.endif + +.for clib in ${LIBRARIES} +.for slib in ${LIBRARIES} + +.if ("${clib}" != openssl && "${slib}" != openssl) || \ + ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) + +REGRESS_TARGETS += run-version-client-${clib}-${cver}-server-${slib}-${sver} + +run-version-client-${clib}-${cver}-server-${slib}-${sver} \ +client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \ +server-version-client-${clib}-${cver}-server-${slib}-${sver}.out: \ + 127.0.0.1.crt ../${clib}/client ../${slib}/server + @echo '\n======== $@ ========' + LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ + ../${slib}/server >${@:S/^run/server/}.out \ + -c 127.0.0.1.crt -k 127.0.0.1.key \ + ${sver:Nany:S/^/-V /} \ + 127.0.0.1 0 + ${FAIL_${cver}_${sver}} \ + LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ + ../${clib}/client >${@:S/^run/client/}.out \ + ${cver:Nany:S/^/-V /} \ + `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out` +.if empty(${FAIL_${cver}_${sver}}) + grep -q '^success$$' ${@:S/^run/server/}.out || \ + { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; } + grep -q '^success$$' ${@:S/^run/client/}.out +.endif + +.if empty(${FAIL_${cver}_${sver}}) + +REGRESS_TARGETS += check-version-client-${clib}-${cver}-server-${slib}-${sver} + +check-version-client-${clib}-${cver}-server-${slib}-${sver}: \ + client-version-client-${clib}-${cver}-server-${slib}-${sver}.out \ + server-version-client-${clib}-${cver}-server-${slib}-${sver}.out + @echo '\n======== $@ ========' + @grep ' Protocol *: ' ${@:S/^check/client/}.out + @grep ' Protocol *: ' ${@:S/^check/server/}.out +.if "${cver}" == any +.if "${sver}" == any +.if "${clib}" == openssl || "${slib}" == openssl + grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/client/}.out + grep -q ' Protocol *: TLSv1.2$$' ${@:S/^check/server/}.out +.else + grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/client/}.out + grep -q ' Protocol *: TLSv1.3$$' ${@:S/^check/server/}.out +.endif +.else + grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \ + ${@:S/^check/client/}.out + grep -q ' Protocol *: ${sver:S/TLS/TLSv/:S/_/./}$$' \ + ${@:S/^check/server/}.out +.endif +.else + grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \ + ${@:S/^check/client/}.out + grep -q ' Protocol *: ${cver:S/TLS/TLSv/:S/_/./}$$' \ + ${@:S/^check/server/}.out +.endif +.endif + +.endif + +.endfor +.endfor +.endfor +.endfor + +.include <bsd.regress.mk> |