Hi, A coworker of mine has made tests with LibreSSL [1] and found some regressions. I took his test descriptions and created the following automated regression test. In the repository he described his findings in detail. I kept the numbers of the files and subtests in the target names for now. So, its easier to match it with his files.
I don't know how to handle the result of "test-01-ssl". Thats why its just a comment. Someone may have an idea to handle this properly. Any comments, wishes or OK's? bye, Jan [1]: https://github.com/noxxi/libressl-tests Index: regress/lib/libssl/Makefile =================================================================== RCS file: /cvs/src/regress/lib/libssl/Makefile,v retrieving revision 1.42 diff -u -p -r1.42 Makefile --- regress/lib/libssl/Makefile 14 Oct 2020 15:53:22 -0000 1.42 +++ regress/lib/libssl/Makefile 12 Feb 2021 19:42:56 -0000 @@ -16,6 +16,7 @@ SUBDIR += tlsext SUBDIR += tlslegacy SUBDIR += key_schedule SUBDIR += unit +SUBDIR += validate # Things that take a long time should go below here. SUBDIR += tlsfuzzer Index: regress/lib/libssl/validate/Makefile =================================================================== RCS file: regress/lib/libssl/validate/Makefile diff -N regress/lib/libssl/validate/Makefile --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ regress/lib/libssl/validate/Makefile 13 Feb 2021 10:50:30 -0000 @@ -0,0 +1,104 @@ +# Tests from: https://github.com/noxxi/libressl-tests + +PERL=perl + +REGRESS_TARGETS = test-00-01-ssl +REGRESS_TARGETS += test-00-02-ssl +REGRESS_TARGETS += test-00-03-ssl +REGRESS_TARGETS += test-00-04-ssl +REGRESS_TARGETS += test-00-05-ssl +REGRESS_TARGETS += test-00-06-ssl +REGRESS_TARGETS += test-01-ssl +REGRESS_TARGETS += test-02-ssl +REGRESS_ROOT_TARGETS = ${REGRESS_TARGETS} +REGRESS_CLEANUP = cleanup-ssl +REGRESS_SETUP = create-libressl-test-certs + +create-libressl-test-certs: create-libressl-test-certs.pl + ${PERL} ${.CURDIR}/$@.pl + +cleanup-ssl: + pkill openssl || true + rm *.pem *.key + +test-00-01-ssl: + # unusual wildcard cert, no CA given to client + # cleanup + pkill openssl || true + sleep 2 + # start client + ${KTRACE} openssl s_server -cert server-unusual-wildcard.pem \ + -key server-unusual-wildcard.pem -www & \ + timeout=$$(($$(date +%s) + 5)); \ + while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \ + do test $$(date +%s) -lt $$timeout || exit 1; done + # start client + echo "data" | openssl s_client -verify_return_error -connect 127.0.0.1:4433 \ + | grep "Verify return code: 21" + +test-00-02-ssl: + # unusual wildcard cert, CA given to client + # cleanup + pkill openssl || true + sleep 2 + # start server + ${KTRACE} openssl s_server -cert server-unusual-wildcard.pem \ + -key server-unusual-wildcard.pem -www & \ + timeout=$$(($$(date +%s) + 5)); \ + while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \ + do test $$(date +%s) -lt $$timeout || exit 1; done + # start client + echo "data" | openssl s_client -connect 127.0.0.1:4433 -CAfile caR.pem \ + | grep "Verify return code: 0" + +test-00-03-ssl: + # common wildcard cert, no CA given to client + # cleanup + pkill openssl || true + sleep 2 + # start server + ${KTRACE} openssl s_server -cert server-common-wildcard.pem \ + -key server-common-wildcard.pem -www & \ + timeout=$$(($$(date +%s) + 5)); \ + while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \ + do test $$(date +%s) -lt $$timeout || exit 1; done + # start client + echo "data" | openssl s_client -connect 127.0.0.1:4433 \ + | grep "Verify return code: 21" + +test-00-04-ssl: + # common wildcard cert, CA given to client + # cleanup + pkill openssl || true + sleep 2 + # start server + ${KTRACE} openssl s_server -cert server-unusual-wildcard.pem \ + -key server-unusual-wildcard.pem -www & \ + timeout=$$(($$(date +%s) + 5)); \ + while fstat -p $$! | ! grep -q 'tcp .* \*:4433$$'; \ + do test $$(date +%s) -lt $$timeout || exit 1; done + # start client + echo "data" | openssl s_client -connect 127.0.0.1:4433 -CAfile caR.pem \ + | grep "Verify return code: 21" + +test-00-05-ssl: + # openssl verify, unusual wildcard cert + openssl verify -CAfile caR.pem server-unusual-wildcard.pem \ + | grep "server-unusual-wildcard.pem: OK" + +test-00-06-ssl: + # openssl verify, common wildcard cert + openssl verify -CAfile caR.pem server-common-wildcard.pem \ + | grep "server-common-wildcard.pem: OK" + +test-01-ssl: + # Not all chain certificates are sent in s_server + # openssl s_server -cert server-subca.pem -CAfile subcaR.pem -www + # XXX: don't know how to check the result + +test-02-ssl: + # alternative chain not found + openssl verify -verbose -trusted caR.pem -untrusted chainSX.pem server-subca.pem \ + | grep "server-subca.pem: Ok" + +.include <bsd.regress.mk> Index: regress/lib/libssl/validate/create-libressl-test-certs.pl =================================================================== RCS file: regress/lib/libssl/validate/create-libressl-test-certs.pl diff -N regress/lib/libssl/validate/create-libressl-test-certs.pl --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ regress/lib/libssl/validate/create-libressl-test-certs.pl 12 Feb 2021 16:34:20 -0000 @@ -0,0 +1,107 @@ +#!/usr/bin/perl +use strict; +use warnings; +use IO::Socket::SSL::Utils; + +# primitive CA - ROOT +my @ca = cert( + CA => 1, + subject => { CN => 'ROOT' } +); +out('caR.pem', pem(crt => $ca[0])); +out('caR.key', pem(key => $ca[1])); + +# server certificate where SAN contains in-label wildcards which are allowed by +# RFC 6125 +my @leafcert = cert( + issuer => \@ca, + purpose => 'server', + subject => { CN => 'server.local' }, + subjectAltNames => [ + [ DNS => 'bar.server.local' ], + [ DNS => 'www*.server.local'], + [ DNS => '*.www.server.local'], + [ DNS => 'foo.server.local' ], + [ DNS => 'server.local' ], + ] +); +out('server-unusual-wildcard.pem', pem(@leafcert)); + +@leafcert = cert( + issuer => \@ca, + purpose => 'server', + subject => { CN => 'server.local' }, + subjectAltNames => [ + [ DNS => 'bar.server.local' ], + [ DNS => '*.www.server.local'], + [ DNS => 'foo.server.local' ], + [ DNS => 'server.local' ], + ] +); +out('server-common-wildcard.pem', pem(@leafcert)); + +# alternative CA - OLD_ROOT +my @caO = cert( + CA => 1, + subject => { CN => 'OLD_ROOT' } +); +out('caO.pem', pem(crt => $caO[0])); +out('caO.key', pem(key => $caO[1])); + +# alternative ROOT CA, signed by OLD_ROOT, same key as other ROOT CA +my @caX = cert( + issuer => \@caO, + CA => 1, + subject => { CN => 'ROOT' }, + key => $ca[1], +); +out('caX.pem', pem(crt => $caX[0])); +out('caX.key', pem(key => $caX[1])); + +# subCA below ROOT +my @subcaR = cert( + issuer => \@ca, + CA => 1, + subject => { CN => 'SubCA.of.ROOT' } +); +out('subcaR.pem', pem(crt => $subcaR[0])); +out('subcaR.key', pem(key => $subcaR[1])); +out('chainSX.pem', pem($subcaR[0]), pem($caX[0])); + +@leafcert = cert( + issuer => \@subcaR, + purpose => 'server', + subject => { CN => 'server.subca.local' }, + subjectAltNames => [ + [ DNS => 'server.subca.local' ], + ] +); +out('server-subca.pem', pem(@leafcert)); +out('server-subca-chainSX.pem', pem(@leafcert, $subcaR[0], $caX[0])); +out('server-subca-chainS.pem', pem(@leafcert, $subcaR[0])); + + +sub cert { CERT_create(not_after => 10*365*86400+time(), @_) } +sub pem { + my @default = qw(crt key); + my %m = (key => \&PEM_key2string, crt => \&PEM_cert2string); + my $result = ''; + while (my $f = shift(@_)) { + my $v; + if ($f =~m{^(key|crt)$}) { + $v = shift(@_); + } else { + $v = $f; + $f = shift(@default) || 'crt'; + } + $f = $m{$f} || die "wrong key $f"; + $result .= $f->($v); + } + return $result; +} + +sub out { + my $file = shift; + open(my $fh,'>',"$file") or die "failed to create $file: $!"; + print $fh @_ +}