Add openssl 3.0 interop tests

The plan is to retire the 1.0.2 interop tests soon so as to be able to
drop the dead and dangerous OpenSSL 1.0.2 port.

The cert part is extremely slow on arm64: the whole interop test on an m1
is about 10x slower (~45 min!) than on a modern amd64 laptop, so people
running regress may want to wait a bit with adding OpenSSL 3 to their test
boxes until this is sorted out.

5 files changed, 70 insertions, 12 deletions

diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
index 789ff00e7f..2f6b165ae6 100644
--- a/src/regress/lib/libssl/interop/Makefile
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,6 +1,6 @@
-# $OpenBSD: Makefile,v 1.15 2021/08/30 17:34:02 tb Exp $
+# $OpenBSD: Makefile,v 1.16 2023/01/27 08:28:36 tb Exp $
 
-SUBDIR =        libressl openssl openssl11
+SUBDIR =        libressl openssl openssl11 openssl30
 
 # the above binaries must have been built before we can continue
 SUBDIR +=       netcat
diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile
index 6698975d7e..6156a988ae 100644
--- a/src/regress/lib/libssl/interop/cert/Makefile
+++ b/src/regress/lib/libssl/interop/cert/Makefile
@@ -1,7 +1,7 @@
-# $OpenBSD: Makefile,v 1.7 2021/09/03 11:58:24 bluhm Exp $
+# $OpenBSD: Makefile,v 1.8 2023/01/27 08:28:36 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
-# openssl 1.0.2, or openssl 1.1.  Create client and server certificates
+# openssl 1.0.2, 1.1, or 3.0.  Create client and server certificates
 # that are signed by a CA and not signed by a fake CA.  Try all
 # combinations with, without, and with wrong CA for client and server
 # and check the result of certificate verification.
@@ -13,6 +13,9 @@ LIBRARIES +=		openssl
 .if exists(/usr/local/bin/eopenssl11)
 LIBRARIES +=            openssl11
 .endif
+.if exists(/usr/local/bin/eopenssl30)
+LIBRARIES +=            openssl30
+.endif
 
 .for cca in noca ca fakeca
 .for sca in noca ca fakeca
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
index bfe8cfea7a..46951f6782 100644
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -1,7 +1,7 @@
-# $OpenBSD: Makefile,v 1.9 2022/02/05 18:34:06 tb Exp $
+# $OpenBSD: Makefile,v 1.10 2023/01/27 08:28:36 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
-# openssl 1.0.2, or openssl 1.1.  Create lists of supported ciphers
+# openssl 1.0.2, 1.1, or 3.0.  Create lists of supported ciphers
 # and pin client and server to one of the ciphers.  Use server
 # certificate with compatible type.  Check that client and server
 # have used correct cipher by grepping in their session print out.
@@ -24,6 +24,9 @@ LIBRARIES +=		openssl
 .if exists(/usr/local/bin/eopenssl11)
 LIBRARIES +=            openssl11
 .endif
+.if exists(/usr/local/bin/eopenssl30)
+LIBRARIES +=            openssl30
+.endif
 
 CLEANFILES =    *.tmp *.ciphers ciphers.mk
 
@@ -52,8 +55,9 @@ client-${clib}-server-${slib}.ciphers: \
         uniq -d <$@.tmp >$@
         # we are only interested in ciphers supported by libressl
         sort $@ client-libressl.ciphers >$@.tmp
-. if "${clib}" == "openssl11" || "${slib}" == "openssl11"
-        # OpenSSL 1.1's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
+. if "${clib}" == "openssl11" || "${slib}" == "openssl11" || \
+        "${clib}" == "openssl30" || "${slib}" == "openssl30"
+        # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
         sed -i '/^TLS_/d' $@.tmp
 . endif
         uniq -d <$@.tmp >$@
@@ -82,6 +86,7 @@ regress: ciphers.mk
 LEVEL_libressl =
 LEVEL_openssl =
 LEVEL_openssl11 = ,@SECLEVEL=0
+LEVEL_openssl30 = ,@SECLEVEL=0
 
 .for clib in ${LIBRARIES}
 .for slib in ${LIBRARIES}
@@ -148,7 +153,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \
 . endif
 . if "${clib}" == "libressl"
         # libressl client may prefer chacha-poly if aes-ni is not supported
-.  if "${slib}" == "openssl11"
+.  if "${slib}" == "openssl11" || "${slib}" == "openssl30"
         egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
 .  else
         egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
diff --git a/src/regress/lib/libssl/interop/openssl30/Makefile b/src/regress/lib/libssl/interop/openssl30/Makefile
new file mode 100644
index 0000000000..d667d1b17e
--- /dev/null
+++ b/src/regress/lib/libssl/interop/openssl30/Makefile
@@ -0,0 +1,43 @@
+# $OpenBSD: Makefile,v 1.1 2023/01/27 08:28:36 tb Exp $
+
+.if ! exists(/usr/local/bin/eopenssl30)
+regress:
+        # install openssl-3.0 from ports for interop tests
+        @echo 'Run "pkg_add openssl--%3.0" to run tests against OpenSSL 3.0'
+        @echo SKIPPED
+.else
+
+PROGS =                 client server
+CPPFLAGS =              -I /usr/local/include/eopenssl30
+LDFLAGS =               -L /usr/local/lib/eopenssl30
+LDADD =                 -lssl -lcrypto
+DPADD =                 /usr/local/lib/eopenssl30/libssl.a \
+                        /usr/local/lib/eopenssl30/libcrypto.a
+LD_LIBRARY_PATH =       /usr/local/lib/eopenssl30
+REGRESS_TARGETS =       run-self-client-server
+.for p in ${PROGS}
+REGRESS_TARGETS +=      run-ldd-$p run-version-$p run-protocol-$p
+.endfor
+
+.for p in ${PROGS}
+
+run-ldd-$p: ldd-$p.out
+        # check that $p is linked with OpenSSL 3.0
+        grep -q /usr/local/lib/eopenssl30/libcrypto.so ldd-$p.out
+        grep -q /usr/local/lib/eopenssl30/libssl.so ldd-$p.out
+        # check that $p is not linked with LibreSSL
+        ! grep -v libc.so ldd-$p.out | grep /usr/lib/
+
+run-version-$p: $p-self.out
+        # check that runtime version is OpenSSL 3.0
+        grep 'SSLEAY_VERSION: OpenSSL 3.0' $p-self.out
+
+run-protocol-$p: $p-self.out
+        # check that OpenSSL 3.0 protocol version is TLS 1.3
+        grep 'Protocol *: TLSv1.3' $p-self.out
+
+.endfor
+
+.endif # exists(/usr/local/bin/eopenssl30)
+
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
index 7ac86ccbeb..7b1be9a3ed 100644
--- a/src/regress/lib/libssl/interop/version/Makefile
+++ b/src/regress/lib/libssl/interop/version/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.3 2020/12/17 00:51:12 bluhm Exp $
+# $OpenBSD: Makefile,v 1.4 2023/01/27 08:28:36 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.0.2, or openssl 1.1.  Pin client or server to a fixed TLS
@@ -13,6 +13,9 @@ LIBRARIES +=		openssl
 .if exists(/usr/local/bin/eopenssl11)
 LIBRARIES +=            openssl11
 .endif
+.if exists(/usr/local/bin/eopenssl30)
+LIBRARIES +=            openssl30
+.endif
 
 VERSIONS =      any TLS1 TLS1_1 TLS1_2 TLS1_3
 
@@ -28,8 +31,12 @@ FAIL_${cver}_${sver} = !
 .for clib in ${LIBRARIES}
 .for slib in ${LIBRARIES}
 
-.if ("${clib}" != openssl && "${slib}" != openssl) || \
-    ("${cver}" != TLS1_3 && "${sver}" != TLS1_3)
+.if (("${clib}" != openssl && "${slib}" != openssl) || \
+    ("${cver}" != TLS1_3 && "${sver}" != TLS1_3)) && \
+    (("${clib}" != openssl30 && "${slib}" != openssl30) || \
+    (("${cver}" != any && "${sver}" != any) && \
+    ("${cver}" != TLS1 && "${sver}" != TLS1) && \
+    ("${cver}" != TLS1_1 && "${sver}" != TLS1_1)))
 
 .if ("${clib}" == "libressl" || "${slib}" == "libressl")
 REGRESS_TARGETS +=      run-version-client-${clib}-${cver}-server-${slib}-${sver}