1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
# $OpenBSD: Makefile,v 1.5 2021/08/29 12:40:37 tb Exp $
# Copyright (c) 2021 Jan Klemkow <j.klemkow@wemelug.de>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# This regression test is based on manual test descriptions from:
# https://github.com/noxxi/libressl-tests
# The following port must be installed for the regression tests:
# p5-IO-Socket-SSL perl interface to SSL sockets
PERL = perl
OPENSSL ?= openssl
.if !(make(clean) || make(cleandir) || make(obj))
. if !exists(/usr/local/libdata/perl5/site_perl/IO/Socket/SSL.pm)
regress:
@echo "missing package p5-IO-Socket-SSL"
@echo SKIPPED
. endif
.endif
REGRESS_TARGETS += test-inlabel-wildcard-cert-no-CA-client
REGRESS_TARGETS += test-inlabel-wildcard-cert-CA-client
REGRESS_TARGETS += test-common-wildcard-cert-no-CA-client
REGRESS_TARGETS += test-common-wildcard-cert-CA-client
REGRESS_TARGETS += test-verify-unusual-wildcard-cert
REGRESS_TARGETS += test-openssl-verify-common-wildcard-cert
REGRESS_TARGETS += test-chain-certificates-s_server
REGRESS_TARGETS += test-alternative-chain
REGRESS_CLEANUP = cleanup-ssl
REGRESS_SETUP_ONCE = create-libressl-test-certs
REGRESS_EXPECTED_FAILURES += test-inlabel-wildcard-cert-no-CA-client
REGRESS_EXPECTED_FAILURES += test-unusual-wildcard-cert-no-CA-client
REGRESS_EXPECTED_FAILURES += test-common-wildcard-cert-no-CA-client
REGRESS_EXPECTED_FAILURES += test-common-wildcard-cert-CA-client
create-libressl-test-certs: create-libressl-test-certs.pl
${PERL} ${.CURDIR}/$@.pl
cleanup-ssl:
rm *.pem *.key
test-inlabel-wildcard-cert-no-CA-client:
# unusual wildcard cert, no CA given to client
# start server
${OPENSSL} s_server -naccept 1 -cert server-unusual-wildcard.pem \
-key server-unusual-wildcard.pem & \
timeout=$$(($$(date +%s) + 5)); \
while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
do test $$(date +%s) -lt $$timeout || exit 1; done
# start client
${OPENSSL} s_client -verify_return_error \
| grep "Verify return code: 21"
test-inlabel-wildcard-cert-CA-client:
# unusual wildcard cert, CA given to client
# start server
${OPENSSL} s_server -naccept 1 -cert server-unusual-wildcard.pem \
-key server-unusual-wildcard.pem & \
timeout=$$(($$(date +%s) + 5)); \
while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
do test $$(date +%s) -lt $$timeout || exit 1; done
# start client
${OPENSSL} s_client -CAfile caR.pem \
| grep "Verify return code: 0"
test-common-wildcard-cert-no-CA-client:
# common wildcard cert, no CA given to client
# start server
${OPENSSL} s_server -naccept 1 -cert server-common-wildcard.pem \
-key server-common-wildcard.pem & \
timeout=$$(($$(date +%s) + 5)); \
while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
do test $$(date +%s) -lt $$timeout || exit 1; done
# start client
${OPENSSL} s_client \
| grep "Verify return code: 21"
test-common-wildcard-cert-CA-client:
# common wildcard cert, CA given to client
# start server
${OPENSSL} s_server -naccept 1 -cert server-unusual-wildcard.pem \
-key server-unusual-wildcard.pem & \
timeout=$$(($$(date +%s) + 5)); \
while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
do test $$(date +%s) -lt $$timeout || exit 1; done
# start client
${OPENSSL} s_client -CAfile caR.pem \
| grep "Verify return code: 21"
test-verify-unusual-wildcard-cert:
# openssl verify, unusual wildcard cert
${OPENSSL} verify -CAfile caR.pem server-unusual-wildcard.pem \
| grep "server-unusual-wildcard.pem: OK"
test-openssl-verify-common-wildcard-cert:
# openssl verify, common wildcard cert
${OPENSSL} verify -CAfile caR.pem server-common-wildcard.pem \
| grep "server-common-wildcard.pem: OK"
test-chain-certificates-s_server:
# Not all chain certificates are sent in s_server
# start server
${OPENSSL} s_server -naccept 1 -cert server-subca-chainS.pem -CAfile subcaR.pem & \
timeout=$$(($$(date +%s) + 5)); \
while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \
do test $$(date +%s) -lt $$timeout || exit 1; done
# start client
${OPENSSL} s_client -CAfile caR.pem | grep "Verify return code: 0"
test-alternative-chain:
# alternative chain not found
${OPENSSL} verify -verbose -trusted caR.pem -untrusted chainSX.pem \
server-subca.pem | grep "server-subca.pem: OK"
.include <bsd.regress.mk>
|
