From a91c5ce4ccb891f0e7fdb5cb21fb7a48ca0b1281 Mon Sep 17 00:00:00 2001
From: bluhm <>
Date: Fri, 11 Sep 2020 22:48:00 +0000
Subject: Enable cert and cipher interop tests.  cert just works.  cipher has
 been fixed to work with libressl TLS 1.3.  Both libressl and openssl11
 replace obsolete TLS 1.2 ciphers with AEAD-AES256-GCM-SHA384 or
 TLS_AES_256_GCM_SHA384 in TLS 1.3 respectively.  The test expects that now. 
 Currently GOST does not work with libressl and TLS 1.3 and is disabled.

---
 src/regress/lib/libssl/interop/Makefile        |  6 +-
 src/regress/lib/libssl/interop/cipher/Makefile | 81 ++++++++++----------------
 src/regress/lib/libssl/interop/client.c        |  3 +-
 3 files changed, 35 insertions(+), 55 deletions(-)

diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
index 3ac0897f06..5ad9041276 100644
--- a/src/regress/lib/libssl/interop/Makefile
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.9 2020/01/25 16:10:32 jsing Exp $
+# $OpenBSD: Makefile,v 1.10 2020/09/11 22:48:00 bluhm Exp $
 
 SUBDIR =	libressl openssl openssl11
 
 # the above binaries must have been built before we can continue
-#SUBDIR +=	cert
-#SUBDIR +=	cipher
+SUBDIR +=	cert
+SUBDIR +=	cipher
 SUBDIR +=	netcat
 SUBDIR +=	session
 
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
index 3f43ce804e..49c267c705 100644
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.3 2019/03/28 22:24:13 bluhm Exp $
+# $OpenBSD: Makefile,v 1.4 2020/09/11 22:48:00 bluhm Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.0.2, or openssl 1.1.  Create lists of supported ciphers
@@ -6,54 +6,16 @@
 # certificate with compatible type.  Check that client and server
 # have used correct cipher by grepping in their session print out.
 
-check-cipher-ADH-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ADH-AES128-SHA-client-openssl11-server-openssl11 \
-check-cipher-ADH-AES128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ADH-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
-check-cipher-ADH-AES256-SHA-client-openssl11-server-openssl11 \
-check-cipher-ADH-AES256-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ADH-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
-check-cipher-ADH-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ADH-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
-check-cipher-ADH-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
-check-cipher-AECDH-AES128-SHA-client-openssl11-server-openssl11 \
-check-cipher-AECDH-AES256-SHA-client-openssl11-server-openssl11 \
-check-cipher-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
-check-cipher-AES128-SHA-client-openssl11-server-openssl11 \
-check-cipher-AES128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
-check-cipher-AES256-SHA-client-openssl11-server-openssl11 \
-check-cipher-AES256-SHA256-client-openssl11-server-openssl11 \
-check-cipher-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
-check-cipher-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
-check-cipher-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-AES256-SHA256-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
-check-cipher-DHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-AES128-SHA-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-AES128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-AES256-SHA-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-AES256-SHA384-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-ECDSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-AES256-SHA384-client-openssl11-server-openssl11 \
-check-cipher-ECDHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11:
-	# openssl11 always prints TLS_AES_256_GCM_SHA384 as cipher in out file
+run-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl \
+run-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl \
+client-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl.out \
+client-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl.out \
+server-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl.out \
+server-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl.out \
+check-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl \
+check-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl:
+	@echo '\n======== $@ ========'
+	# gost does not work with libressl TLS 1.3 right now
 	@echo DISABLED
 
 LIBRARIES =		libressl
@@ -165,8 +127,27 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \
     client-cipher-${cipher}-client-${clib}-server-${slib}.out \
     server-cipher-${cipher}-client-${clib}-server-${slib}.out
 	@echo '\n======== $@ ========'
-	grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
+.if "${clib}" != "openssl" && "${slib}" != "openssl" && \
+    "${cipher:C/AEAD-(AES.*-GCM|CHACHA.*-POLY.*)-SHA.*/TLS1_3/}" != TLS1_3
+	# client and server 1.3 capable, not TLS 1.3 cipher
+.if "${clib}" == "openssl11"
+	# openssl 1.1 generic client cipher
+	grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/client/}.out
+.else
+	# libressl generic client cipher
+	grep -q ' Cipher *: AEAD-AES256-GCM-SHA384$$' ${@:S/^check/client/}.out
+.endif
+.if "${slib}" == "openssl11"
+	# openssl 1.1 generic server cipher
+	grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/server/}.out
+.else
+	# libressl generic server cipher
+	grep -q ' Cipher *: AEAD-AES256-GCM-SHA384$$' ${@:S/^check/server/}.out
+.endif
+.else
 	grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out
+	grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
+.endif
 
 .endfor
 .endfor
diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c
index 27ad9a0ade..6a85e35c92 100644
--- a/src/regress/lib/libssl/interop/client.c
+++ b/src/regress/lib/libssl/interop/client.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: client.c,v 1.8 2019/03/21 17:52:26 bluhm Exp $	*/
+/*	$OpenBSD: client.c,v 1.9 2020/09/11 22:48:00 bluhm Exp $	*/
 /*
  * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
  *
@@ -52,7 +52,6 @@ main(int argc, char *argv[])
 	char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
 	char *host_port, *host = "127.0.0.1", *port = "0";
 
-
 	while ((ch = getopt(argc, argv, "C:c:k:Ll:sv")) != -1) {
 		switch (ch) {
 		case 'C':
-- 
cgit v1.2.3-55-g6feb