diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2018-11-07 20:46:29 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2018-11-07 20:46:29 +0000 |
| commit | a4056e77cbb26f6a514e69738bd98681be4df918 (patch) | |
| tree | 2deeba44875e2c55f96a7b85dca764ae55e3956c /regress | |
| parent | 06d968cecd13de2f223a1d4c9feff96a9d241ade (diff) | |
Add a self test for each SSL library by connecting client with
server. Check that the highest available TLS version is selected.
LibreSSL TLS 1.3 check is disabled until the feature becomes
available.
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/lib/libssl/interop/Makefile.inc | 57 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/README | 4 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/libressl/Makefile | 19 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/openssl/Makefile | 13 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/openssl11/Makefile | 18 |
5 files changed, 88 insertions, 23 deletions
diff --git a/regress/lib/libssl/interop/Makefile.inc b/regress/lib/libssl/interop/Makefile.inc index f209bdbd913..1a1ef30ca68 100644 --- a/regress/lib/libssl/interop/Makefile.inc +++ b/regress/lib/libssl/interop/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.2 2018/11/07 06:29:26 bluhm Exp $ +# $OpenBSD: Makefile.inc,v 1.3 2018/11/07 20:46:28 bluhm Exp $ .PATH: ${.CURDIR}/.. @@ -18,43 +18,72 @@ ldd-$p.out: $p # run netcat server and connect with test client -CLEANFILES += client.out netcat-l.out netcat-l.fstat +CLEANFILES += nc-client.out netcat-l.out netcat-l.fstat REGRESS_TARGETS += run-client -client.out run-client: client 127.0.0.1.crt +nc-client.out run-client: client 127.0.0.1.crt @echo '\n======== $@ ========' echo "greeting" | nc -l -c -C 127.0.0.1.crt -K 127.0.0.1.key \ 127.0.0.1 0 >netcat-l.out & \ sleep 1; fstat -p $$! >netcat-l.fstat LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ./client \ `sed -n 's/.* stream tcp .*:/127.0.0.1 /p' netcat-l.fstat` \ - >client.out + >nc-client.out # check that the client run successfully to the end - grep -q '^success$$' client.out + grep -q '^success$$' nc-client.out # client must have read server greeting - grep -q '^<<< greeting$$' client.out + grep -q '^<<< greeting$$' nc-client.out # netstat server must have read client hello grep -q '^hello$$' netcat-l.out # run test server and connect with netcat client -CLEANFILES += server.out netcat.out +CLEANFILES += nc-server.out netcat.out REGRESS_TARGETS += run-server -server.out run-server: server 127.0.0.1.crt +nc-server.out run-server: server 127.0.0.1.crt @echo '\n======== $@ ========' - LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ./server 127.0.0.1 0 >server.out + LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ./server 127.0.0.1 0 \ + >nc-server.out echo "hello" | nc -c -T noverify \ - `sed -n 's/listen sock: //p' server.out` \ + `sed -n 's/listen sock: //p' nc-server.out` \ >netcat.out # check that the server child run successfully to the end - grep -q '^success$$' server.out + grep -q '^success$$' nc-server.out # server must have read client hello - grep -q '^<<< hello$$' server.out + grep -q '^<<< hello$$' nc-server.out # client must have read server greeting grep -q '^greeting$$' netcat.out -# check that programs have used correct runtime library +# run test server and with test client, self test the ssl library -REGRESS_TARGETS += ${PROGS:S/^/run-version-/} +CLEANFILES += self-client.out self-server.out +REGRESS_TARGETS += run-self +self-client.out self-server.out run-self: client server 127.0.0.1.crt + @echo '\n======== $@ ========' + LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ./server 127.0.0.1 0 \ + >self-server.out + LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ./client \ + `sed -n 's/listen sock: //p' self-server.out` \ + >self-client.out + # check that the client run successfully to the end + grep -q '^success$$' self-client.out + # client must have read server greeting + grep -q '^<<< greeting$$' self-client.out + # check that the server child run successfully to the end + grep -q '^success$$' self-server.out + # server must have read client hello + grep -q '^<<< hello$$' self-server.out + +.for o in nc-client nc-server self-client self-server + +# check that client and server have used correct runtime library + +REGRESS_TARGETS += run-version-$o + +# check that client and server have used correct TLS protocol + +REGRESS_TARGETS += run-protocol-$o + +.endfor # create certificates for TLS diff --git a/regress/lib/libssl/interop/README b/regress/lib/libssl/interop/README index d8847e5ef55..1bd418c9cc2 100644 --- a/regress/lib/libssl/interop/README +++ b/regress/lib/libssl/interop/README @@ -5,6 +5,10 @@ by linking them with LibreSSL or OpenSSL 1.0.2 or OpenSSL 1.1. This way API compatibility is tested. Connect and accept with netcat to test protocol compatibility with libtls. +To self test each SSL library, connect client with server. Check +that the highest available TLS version is selected. LibreSSL TLS +1.3 check has to be enabled when the feature becomes available. + Currently OpenSSL 1.0.2p and OpenSSL 1.1.1 from ports are used. As soon as LibreSSL supports TLS 1.3, it should be used automatically when netcat is communicating with OpenSSL 1.1. diff --git a/regress/lib/libssl/interop/libressl/Makefile b/regress/lib/libssl/interop/libressl/Makefile index 5fce6c5c223..19557ffbc1c 100644 --- a/regress/lib/libssl/interop/libressl/Makefile +++ b/regress/lib/libssl/interop/libressl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.2 2018/11/07 06:29:26 bluhm Exp $ +# $OpenBSD: Makefile,v 1.3 2018/11/07 20:46:28 bluhm Exp $ PROGS = client server CPPFLAGS = @@ -7,6 +7,12 @@ LDADD = -lssl -lcrypto DPADD = ${LIBSSL} ${LIBCRYPTO} LD_LIBRARY_PATH = +run-protocol-self-client run-protocol-self-server \ +run-protocol-nc-client run-protocol-nc-server: + @echo '\n======== $@ ========' + # LibreSSL does not support TLS 1.3 yet + @echo DISABLED + .for p in ${PROGS} run-ldd-$p: ldd-$p.out @echo '\n======== $@ ========' @@ -15,11 +21,18 @@ run-ldd-$p: ldd-$p.out grep -q /usr/lib/libssl.so ldd-$p.out # check that $p is not linked with OpenSSL ! grep /usr/local/lib/ ldd-$p.out +.endfor -run-version-$p: $p.out +.for o in nc-client nc-server self-client self-server +run-version-$o: $o.out @echo '\n======== $@ ========' # check that runtime version is LibreSSL - grep 'SSLEAY_VERSION: LibreSSL' $p.out + grep 'SSLEAY_VERSION: LibreSSL' $o.out + +run-protocol-$o: $o.out + @echo '\n======== $@ ========' + # check that protocol version is TLS 1.3 + grep 'Protocol *: TLSv1.3' $o.out .endfor .include <bsd.regress.mk> diff --git a/regress/lib/libssl/interop/openssl/Makefile b/regress/lib/libssl/interop/openssl/Makefile index 9661767d7b0..ad0c7288cab 100644 --- a/regress/lib/libssl/interop/openssl/Makefile +++ b/regress/lib/libssl/interop/openssl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.2 2018/11/07 06:29:26 bluhm Exp $ +# $OpenBSD: Makefile,v 1.3 2018/11/07 20:46:28 bluhm Exp $ .if ! exists(/usr/local/bin/eopenssl) regress: @@ -22,11 +22,18 @@ run-ldd-$p: ldd-$p.out grep -q /usr/local/lib/eopenssl/libssl.so ldd-$p.out # check that $p is not linked with LibreSSL ! grep -v libc.so ldd-$p.out | grep /usr/lib/ +.endfor -run-version-$p: $p.out +.for o in nc-client nc-server self-client self-server +run-version-$o: $o.out @echo '\n======== $@ ========' # check that runtime version is OpenSSL 1.0 - grep 'SSLEAY_VERSION: OpenSSL 1.0' $p.out + grep 'SSLEAY_VERSION: OpenSSL 1.0' $o.out + +run-protocol-$o: $o.out + @echo '\n======== $@ ========' + # check that protocol version is TLS 1.2 + grep 'Protocol *: TLSv1.2' $o.out .endfor .include <bsd.regress.mk> diff --git a/regress/lib/libssl/interop/openssl11/Makefile b/regress/lib/libssl/interop/openssl11/Makefile index b11e08488aa..e7257a3976f 100644 --- a/regress/lib/libssl/interop/openssl11/Makefile +++ b/regress/lib/libssl/interop/openssl11/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.1 2018/11/07 19:09:01 bluhm Exp $ +# $OpenBSD: Makefile,v 1.2 2018/11/07 20:46:28 bluhm Exp $ .if ! exists(/usr/local/bin/eopenssl11) regress: @@ -14,6 +14,11 @@ DPADD = /usr/local/lib/eopenssl11/libssl.a \ /usr/local/lib/eopenssl11/libcrypto.a LD_LIBRARY_PATH = /usr/local/lib/eopenssl11 +run-protocol-nc-client run-protocol-nc-server: + @echo '\n======== $@ ========' + # LibreSSL does not support TLS 1.3 yet + @echo DISABLED + .for p in ${PROGS} run-ldd-$p: ldd-$p.out @echo '\n======== $@ ========' @@ -22,11 +27,18 @@ run-ldd-$p: ldd-$p.out grep -q /usr/local/lib/eopenssl11/libssl.so ldd-$p.out # check that $p is not linked with LibreSSL ! grep -v libc.so ldd-$p.out | grep /usr/lib/ +.endfor -run-version-$p: $p.out +.for o in nc-client nc-server self-client self-server +run-version-$o: $o.out @echo '\n======== $@ ========' # check that runtime version is OpenSSL 1.1 - grep 'SSLEAY_VERSION: OpenSSL 1.1' $p.out + grep 'SSLEAY_VERSION: OpenSSL 1.1' $o.out + +run-protocol-$o: $o.out + @echo '\n======== $@ ========' + # check that protocol version is TLS 1.3 + grep 'Protocol *: TLSv1.3' $o.out .endfor .include <bsd.regress.mk> |