5 files changed, 70 insertions, 12 deletions

diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
index 789ff00e7f..2f6b165ae6 100644
--- a/src/regress/lib/libssl/interop/Makefile
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,6 +1,6 @@
-# $OpenBSD: Makefile,v 1.15 2021/08/30 17:34:02 tb Exp $
+# $OpenBSD: Makefile,v 1.16 2023/01/27 08:28:36 tb Exp $
 
-SUBDIR =        libressl openssl openssl11
+SUBDIR =        libressl openssl openssl11 openssl30
 
 # the above binaries must have been built before we can continue
 SUBDIR +=       netcat
diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile
index 6698975d7e..6156a988ae 100644
--- a/src/regress/lib/libssl/interop/cert/Makefile
+++ b/src/regress/lib/libssl/interop/cert/Makefile
@@ -1,7 +1,7 @@
-# $OpenBSD: Makefile,v 1.7 2021/09/03 11:58:24 bluhm Exp $
+# $OpenBSD: Makefile,v 1.8 2023/01/27 08:28:36 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
-# openssl 1.0.2, or openssl 1.1.  Create client and server certificates
+# openssl 1.0.2, 1.1, or 3.0.  Create client and server certificates
 # that are signed by a CA and not signed by a fake CA.  Try all
 # combinations with, without, and with wrong CA for client and server
 # and check the result of certificate verification.
@@ -13,6 +13,9 @@ LIBRARIES +=		openssl
 .if exists(/usr/local/bin/eopenssl11)
 LIBRARIES +=            openssl11
 .endif
+.if exists(/usr/local/bin/eopenssl30)
+LIBRARIES +=            openssl30
+.endif
 
 .for cca in noca ca fakeca
 .for sca in noca ca fakeca
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
index bfe8cfea7a..46951f6782 100644
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -1,7 +1,7 @@
-# $OpenBSD: Makefile,v 1.9 2022/02/05 18:34:06 tb Exp $
+# $OpenBSD: Makefile,v 1.10 2023/01/27 08:28:36 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
-# openssl 1.0.2, or openssl 1.1.  Create lists of supported ciphers
+# openssl 1.0.2, 1.1, or 3.0.  Create lists of supported ciphers
 # and pin client and server to one of the ciphers.  Use server
 # certificate with compatible type.  Check that client and server
 # have used correct cipher by grepping in their session print out.
@@ -24,6 +24,9 @@ LIBRARIES +=		openssl
 .if exists(/usr/local/bin/eopenssl11)
 LIBRARIES +=            openssl11
 .endif
+.if exists(/usr/local/bin/eopenssl30)
+LIBRARIES +=            openssl30
+.endif
 
 CLEANFILES =    *.tmp *.ciphers ciphers.mk
 
@@ -52,8 +55,9 @@ client-${clib}-server-${slib}.ciphers: \
         uniq -d <$@.tmp >$@
         # we are only interested in ciphers supported by libressl
         sort $@ client-libressl.ciphers >$@.tmp
-. if "${clib}" == "openssl11" || "${slib}" == "openssl11"
-        # OpenSSL 1.1's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
+. if "${clib}" == "openssl11" || "${slib}" == "openssl11" || \
+        "${clib}" == "openssl30" || "${slib}" == "openssl30"
+        # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
         sed -i '/^TLS_/d' $@.tmp
 . endif
         uniq -d <$@.tmp >$@
@@ -82,6 +86,7 @@ regress: ciphers.mk
 LEVEL_libressl =
 LEVEL_openssl =
 LEVEL_openssl11 = ,@SECLEVEL=0
+LEVEL_openssl30 = ,@SECLEVEL=0
 
 .for clib in ${LIBRARIES}
 .for slib in ${LIBRARIES}
@@ -148,7 +153,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \
 . endif
 . if "${clib}" == "libressl"
         # libressl client may prefer chacha-poly if aes-ni is not supported
-.  if "${slib}" == "openssl11"
+.  if "${slib}" == "openssl11" || "${slib}" == "openssl30"
         egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
 .  else
         egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
diff --git a/src/regress/lib/libssl/interop/openssl30/Makefile b/src/regress/lib/libssl/interop/openssl30/Makefile
new file mode 100644
index 0000000000..d667d1b17e
--- /dev/null
+++ b/src/regress/lib/libssl/interop/openssl30/Makefile
@@ -0,0 +1,43 @@
+# $OpenBSD: Makefile,v 1.1 2023/01/27 08:28:36 tb Exp $
+
+.if ! exists(/usr/local/bin/eopenssl30)
+regress:
+        # install openssl-3.0 from ports for interop tests
+        @echo 'Run "pkg_add openssl--%3.0" to run tests against OpenSSL 3.0'
+        @echo SKIPPED
+.else
+
+PROGS =                 client server
+CPPFLAGS =              -I /usr/local/include/eopenssl30
+LDFLAGS =               -L /usr/local/lib/eopenssl30
+LDADD =                 -lssl -lcrypto
+DPADD =                 /usr/local/lib/eopenssl30/libssl.a \
+                        /usr/local/lib/eopenssl30/libcrypto.a
+LD_LIBRARY_PATH =       /usr/local/lib/eopenssl30
+REGRESS_TARGETS =       run-self-client-server
+.for p in ${PROGS}
+REGRESS_TARGETS +=      run-ldd-$p run-version-$p run-protocol-$p
+.endfor
+
+.for p in ${PROGS}
+
+run-ldd-$p: ldd-$p.out
+        # check that $p is linked with OpenSSL 3.0
+        grep -q /usr/local/lib/eopenssl30/libcrypto.so ldd-$p.out
+        grep -q /usr/local/lib/eopenssl30/libssl.so ldd-$p.out
+        # check that $p is not linked with LibreSSL
+        ! grep -v libc.so ldd-$p.out | grep /usr/lib/
+
+run-version-$p: $p-self.out
+        # check that runtime version is OpenSSL 3.0
+        grep 'SSLEAY_VERSION: OpenSSL 3.0' $p-self.out
+
+run-protocol-$p: $p-self.out
+        # check that OpenSSL 3.0 protocol version is TLS 1.3
+        grep 'Protocol *: TLSv1.3' $p-self.out
+
+.endfor
+
+.endif # exists(/usr/local/bin/eopenssl30)
+
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
index 7ac86ccbeb..7b1be9a3ed 100644
--- a/src/regress/lib/libssl/interop/version/Makefile
+++ b/src/regress/lib/libssl/interop/version/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.3 2020/12/17 00:51:12 bluhm Exp $
+# $OpenBSD: Makefile,v 1.4 2023/01/27 08:28:36 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.0.2, or openssl 1.1.  Pin client or server to a fixed TLS
@@ -13,6 +13,9 @@ LIBRARIES +=		openssl
 .if exists(/usr/local/bin/eopenssl11)
 LIBRARIES +=            openssl11
 .endif
+.if exists(/usr/local/bin/eopenssl30)
+LIBRARIES +=            openssl30
+.endif
 
 VERSIONS =      any TLS1 TLS1_1 TLS1_2 TLS1_3
 
@@ -28,8 +31,12 @@ FAIL_${cver}_${sver} = !
 .for clib in ${LIBRARIES}
 .for slib in ${LIBRARIES}
 
-.if ("${clib}" != openssl && "${slib}" != openssl) || \
-    ("${cver}" != TLS1_3 && "${sver}" != TLS1_3)
+.if (("${clib}" != openssl && "${slib}" != openssl) || \
+    ("${cver}" != TLS1_3 && "${sver}" != TLS1_3)) && \
+    (("${clib}" != openssl30 && "${slib}" != openssl30) || \
+    (("${cver}" != any && "${sver}" != any) && \
+    ("${cver}" != TLS1 && "${sver}" != TLS1) && \
+    ("${cver}" != TLS1_1 && "${sver}" != TLS1_1)))
 
 .if ("${clib}" == "libressl" || "${slib}" == "libressl")
 REGRESS_TARGETS +=      run-version-client-${clib}-${cver}-server-${slib}-${sver}