Enable cert and cipher interop tests. cert just works. cipher has

been fixed to work with libressl TLS 1.3.  Both libressl and openssl11
replace obsolete TLS 1.2 ciphers with AEAD-AES256-GCM-SHA384 or
TLS_AES_256_GCM_SHA384 in TLS 1.3 respectively.  The test expects
that now.  Currently GOST does not work with libressl and TLS 1.3
and is disabled.

3 files changed, 35 insertions, 55 deletions

diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
index 3ac0897f06..5ad9041276 100644
--- a/src/regress/lib/libssl/interop/Makefile
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.9 2020/01/25 16:10:32 jsing Exp $
+# $OpenBSD: Makefile,v 1.10 2020/09/11 22:48:00 bluhm Exp $
 
 SUBDIR =        libressl openssl openssl11
 
 # the above binaries must have been built before we can continue
-#SUBDIR +=      cert
-#SUBDIR +=      cipher
+SUBDIR +=       cert
+SUBDIR +=       cipher
 SUBDIR +=       netcat
 SUBDIR +=       session
 
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
index 3f43ce804e..49c267c705 100644
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.3 2019/03/28 22:24:13 bluhm Exp $
+# $OpenBSD: Makefile,v 1.4 2020/09/11 22:48:00 bluhm Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.0.2, or openssl 1.1.  Create lists of supported ciphers
@@ -6,54 +6,16 @@
 # certificate with compatible type.  Check that client and server
 # have used correct cipher by grepping in their session print out.
 
-check-cipher-ADH-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ADH-AES128-SHA-client-openssl11-server-openssl11 \
-check-cipher-ADH-AES128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ADH-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
-check-cipher-ADH-AES256-SHA-client-openssl11-server-openssl11 \
-check-cipher-ADH-AES256-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ADH-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
-check-cipher-ADH-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ADH-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
-check-cipher-ADH-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
-check-cipher-AECDH-AES128-SHA-client-openssl11-server-openssl11 \
-check-cipher-AECDH-AES256-SHA-client-openssl11-server-openssl11 \
-check-cipher-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
-check-cipher-AES128-SHA-client-openssl11-server-openssl11 \
-check-cipher-AES128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
-check-cipher-AES256-SHA-client-openssl11-server-openssl11 \
-check-cipher-AES256-SHA256-client-openssl11-server-openssl11 \
-check-cipher-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
-check-cipher-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
-check-cipher-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-AES256-SHA256-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-AES128-SHA-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-AES128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-AES256-SHA-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-AES256-SHA384-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-AES256-SHA384-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11:
-        # openssl11 always prints TLS_AES_256_GCM_SHA384 as cipher in out file
+run-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl \
+run-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl \
+client-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl.out \
+client-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl.out \
+server-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl.out \
+server-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl.out \
+check-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl \
+check-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl:
+        @echo '\n======== $@ ========'
+        # gost does not work with libressl TLS 1.3 right now
         @echo DISABLED
 
 LIBRARIES =             libressl
@@ -165,8 +127,27 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \
     client-cipher-${cipher}-client-${clib}-server-${slib}.out \
     server-cipher-${cipher}-client-${clib}-server-${slib}.out
         @echo '\n======== $@ ========'
-        grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
+.if "${clib}" != "openssl" && "${slib}" != "openssl" && \
+    "${cipher:C/AEAD-(AES.*-GCM|CHACHA.*-POLY.*)-SHA.*/TLS1_3/}" != TLS1_3
+        # client and server 1.3 capable, not TLS 1.3 cipher
+.if "${clib}" == "openssl11"
+        # openssl 1.1 generic client cipher
+        grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/client/}.out
+.else
+        # libressl generic client cipher
+        grep -q ' Cipher *: AEAD-AES256-GCM-SHA384$$' ${@:S/^check/client/}.out
+.endif
+.if "${slib}" == "openssl11"
+        # openssl 1.1 generic server cipher
+        grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/server/}.out
+.else
+        # libressl generic server cipher
+        grep -q ' Cipher *: AEAD-AES256-GCM-SHA384$$' ${@:S/^check/server/}.out
+.endif
+.else
         grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out
+        grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
+.endif
 
 .endfor
 .endfor
diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c
index 27ad9a0ade..6a85e35c92 100644
--- a/src/regress/lib/libssl/interop/client.c
+++ b/src/regress/lib/libssl/interop/client.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: client.c,v 1.8 2019/03/21 17:52:26 bluhm Exp $        */
+/*      $OpenBSD: client.c,v 1.9 2020/09/11 22:48:00 bluhm Exp $        */
 /*
  * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
  *
@@ -52,7 +52,6 @@ main(int argc, char *argv[])
         char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
         char *host_port, *host = "127.0.0.1", *port = "0";
 
-
         while ((ch = getopt(argc, argv, "C:c:k:Ll:sv")) != -1) {
                 switch (ch) {
                 case 'C':