Add support for OpenSSL 3.1 interop tests

Until OpenSSL 3.1 has replaced OpenSSL 3.0 on most architectures, run
both tests. Installed packages of OpenSSL 3.0 will update automatically
to 3.1, so regress runners should not need to do anything.

8 files changed, 74 insertions, 11 deletions

diff --git a/regress/lib/libssl/interop/Makefile b/regress/lib/libssl/interop/Makefile
index 72dc87b5c26..82bef2314d9 100644
--- a/regress/lib/libssl/interop/Makefile
+++ b/regress/lib/libssl/interop/Makefile
@@ -1,6 +1,6 @@
-# $OpenBSD: Makefile,v 1.17 2023/02/01 14:39:09 tb Exp $
+# $OpenBSD: Makefile,v 1.18 2023/10/30 17:15:21 tb Exp $
 
-SUBDIR =	libressl openssl11 openssl30
+SUBDIR =	libressl openssl11 openssl30 openssl31
 
 # the above binaries must have been built before we can continue
 SUBDIR +=	netcat
diff --git a/regress/lib/libssl/interop/botan/Makefile b/regress/lib/libssl/interop/botan/Makefile
index 23f8a07bf47..b9570b815af 100644
--- a/regress/lib/libssl/interop/botan/Makefile
+++ b/regress/lib/libssl/interop/botan/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.6 2023/02/01 15:58:20 tb Exp $
+# $OpenBSD: Makefile,v 1.7 2023/10/30 17:15:21 tb Exp $
 
 .include <bsd.own.mk>
 
@@ -26,6 +26,9 @@ LIBRARIES +=		openssl11
 .if exists(/usr/local/bin/eopenssl30)
 LIBRARIES +=		openssl30
 .endif
+.if exists(/usr/local/bin/eopenssl31)
+LIBRARIES +=		openssl31
+.endif
 
 PROGS =		client
 SRCS_client =	client.cpp
diff --git a/regress/lib/libssl/interop/cert/Makefile b/regress/lib/libssl/interop/cert/Makefile
index 47f4422d6e0..ae755be2232 100644
--- a/regress/lib/libssl/interop/cert/Makefile
+++ b/regress/lib/libssl/interop/cert/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.10 2023/04/19 15:34:23 tb Exp $
+# $OpenBSD: Makefile,v 1.11 2023/10/30 17:15:21 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or 3.0.  Create client and server certificates
@@ -13,6 +13,9 @@ LIBRARIES +=		openssl11
 .if exists(/usr/local/bin/eopenssl30)
 LIBRARIES +=		openssl30
 .endif
+.if exists(/usr/local/bin/eopenssl31)
+LIBRARIES +=		openssl31
+.endif
 
 .for cca in noca ca fakeca
 .for sca in noca ca fakeca
diff --git a/regress/lib/libssl/interop/cipher/Makefile b/regress/lib/libssl/interop/cipher/Makefile
index 85d927a92dc..627cfc8f9f0 100644
--- a/regress/lib/libssl/interop/cipher/Makefile
+++ b/regress/lib/libssl/interop/cipher/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.12 2023/04/19 15:34:23 tb Exp $
+# $OpenBSD: Makefile,v 1.13 2023/10/30 17:15:21 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or 3.0.  Create lists of supported ciphers
@@ -24,6 +24,9 @@ LIBRARIES +=		openssl11
 .if exists(/usr/local/bin/eopenssl30)
 LIBRARIES +=		openssl30
 .endif
+.if exists(/usr/local/bin/eopenssl31)
+LIBRARIES +=		openssl31
+.endif
 
 CLEANFILES =	*.tmp *.ciphers ciphers.mk
 
@@ -53,7 +56,8 @@ client-${clib}-server-${slib}.ciphers: \
 	# we are only interested in ciphers supported by libressl
 	sort $@ client-libressl.ciphers >$@.tmp
 . if "${clib}" == "openssl11" || "${slib}" == "openssl11" || \
-	"${clib}" == "openssl30" || "${slib}" == "openssl30"
+	"${clib}" == "openssl30" || "${slib}" == "openssl30" || \
+	"${clib}" == "openssl31" || "${slib}" == "openssl31"
 	# OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
 	sed -i '/^TLS_/d' $@.tmp
 . endif
@@ -145,7 +149,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \
 . endif
 . if "${clib}" == "libressl"
 	# libressl client may prefer chacha-poly if aes-ni is not supported
-.  if "${slib}" == "openssl11" || "${slib}" == "openssl30"
+.  if "${slib}" == "openssl11" || "${slib}" == "openssl30" || "${slib}" == "openssl31"
 	egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
 .  else
 	egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
diff --git a/regress/lib/libssl/interop/netcat/Makefile b/regress/lib/libssl/interop/netcat/Makefile
index 9cf10417af0..568c4d255ae 100644
--- a/regress/lib/libssl/interop/netcat/Makefile
+++ b/regress/lib/libssl/interop/netcat/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.6 2023/02/01 15:38:57 tb Exp $
+# $OpenBSD: Makefile,v 1.7 2023/10/30 17:15:21 tb Exp $
 
 LIBRARIES =		libressl
 .if exists(/usr/local/bin/eopenssl11)
@@ -7,6 +7,9 @@ LIBRARIES +=		openssl11
 .if exists(/usr/local/bin/eopenssl30)
 LIBRARIES +=		openssl30
 .endif
+.if exists(/usr/local/bin/eopenssl31)
+LIBRARIES +=		openssl31
+.endif
 
 # run netcat server and connect with test client
 
diff --git a/regress/lib/libssl/interop/openssl31/Makefile b/regress/lib/libssl/interop/openssl31/Makefile
new file mode 100644
index 00000000000..8f35fa272f3
--- /dev/null
+++ b/regress/lib/libssl/interop/openssl31/Makefile
@@ -0,0 +1,43 @@
+# $OpenBSD: Makefile,v 1.1 2023/10/30 17:15:21 tb Exp $
+
+.if !exists(/usr/local/bin/eopenssl31)
+regress:
+	# install openssl-3.1 from ports for interop tests
+	@echo 'Run "pkg_add openssl--%3.1" to run tests against OpenSSL 3.1'
+	@echo SKIPPED
+.else
+
+PROGS =			client server
+CPPFLAGS =		-I /usr/local/include/eopenssl31
+LDFLAGS =		-L /usr/local/lib/eopenssl31
+LDADD =			-lssl -lcrypto
+DPADD =			/usr/local/lib/eopenssl31/libssl.a \
+			/usr/local/lib/eopenssl31/libcrypto.a
+LD_LIBRARY_PATH =	/usr/local/lib/eopenssl31
+REGRESS_TARGETS =	run-self-client-server
+.for p in ${PROGS}
+REGRESS_TARGETS +=	run-ldd-$p run-version-$p run-protocol-$p
+.endfor
+
+.for p in ${PROGS}
+
+run-ldd-$p: ldd-$p.out
+	# check that $p is linked with OpenSSL 3.1
+	grep -q /usr/local/lib/eopenssl31/libcrypto.so ldd-$p.out
+	grep -q /usr/local/lib/eopenssl31/libssl.so ldd-$p.out
+	# check that $p is not linked with LibreSSL
+	! grep -v libc.so ldd-$p.out | grep /usr/lib/
+
+run-version-$p: $p-self.out
+	# check that runtime version is OpenSSL 3.1
+	grep 'SSLEAY_VERSION: OpenSSL 3.1' $p-self.out
+
+run-protocol-$p: $p-self.out
+	# check that OpenSSL 3.1 protocol version is TLS 1.3
+	grep 'Protocol *: TLSv1.3' $p-self.out
+
+.endfor
+
+.endif # exists(/usr/local/bin/eopenssl31)
+
+.include <bsd.regress.mk>
diff --git a/regress/lib/libssl/interop/session/Makefile b/regress/lib/libssl/interop/session/Makefile
index f5858eaba09..99daa4ba4fa 100644
--- a/regress/lib/libssl/interop/session/Makefile
+++ b/regress/lib/libssl/interop/session/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.8 2023/02/01 16:03:47 tb Exp $
+# $OpenBSD: Makefile,v 1.9 2023/10/30 17:15:21 tb Exp $
 
 LIBRARIES =		libressl
 .if exists(/usr/local/bin/eopenssl11)
@@ -7,6 +7,9 @@ LIBRARIES +=		openssl11
 .if exists(/usr/local/bin/eopenssl30)
 #LIBRARIES +=		openssl30
 .endif
+.if exists(/usr/local/bin/eopenssl31)
+#LIBRARIES +=		openssl31
+.endif
 
 run-session-client-libressl-server-libressl \
 run-session-client-libressl-server-openssl11 \
diff --git a/regress/lib/libssl/interop/version/Makefile b/regress/lib/libssl/interop/version/Makefile
index c4f7705d638..bb4641afa98 100644
--- a/regress/lib/libssl/interop/version/Makefile
+++ b/regress/lib/libssl/interop/version/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.7 2023/07/02 17:21:32 beck Exp $
+# $OpenBSD: Makefile,v 1.8 2023/10/30 17:15:21 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or openssl 3.0.  Pin client or server to a fixed TLS
@@ -13,6 +13,9 @@ LIBRARIES +=		openssl11
 .if exists(/usr/local/bin/eopenssl30)
 LIBRARIES +=		openssl30
 .endif
+.if exists(/usr/local/bin/eopenssl31)
+LIBRARIES +=		openssl31
+.endif
 
 VERSIONS =	any TLS1_2 TLS1_3
 
@@ -29,7 +32,8 @@ FAIL_${cver}_${sver} = !
 .for slib in ${LIBRARIES}
 
 .if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \
-    (("${clib}" != openssl30 && "${slib}" != openssl30) || \
+    ((("${clib}" != openssl30 && "${slib}" != openssl30) && \
+    ("${clib}" != openssl31 && "${slib}" != openssl31)) || \
     (("${cver}" != any && "${sver}" != any) && \
     ("${cver}" != TLS1 && "${sver}" != TLS1) && \
     ("${cver}" != TLS1_1 && "${sver}" != TLS1_1)))