diff options
| author | bluhm <> | 2020-09-12 15:48:30 +0000 |
|---|---|---|
| committer | bluhm <> | 2020-09-12 15:48:30 +0000 |
| commit | aff767284618e4bdc4cd19a50549d4be09b39c36 (patch) | |
| tree | b1cc42c241de1eec0552b36d68a3977eddc7705c | |
| parent | 724fa19847a977c5790a4e1d0b2e4fe6d95646fa (diff) | |
| download | openbsd-aff767284618e4bdc4cd19a50549d4be09b39c36.tar.gz openbsd-aff767284618e4bdc4cd19a50549d4be09b39c36.tar.bz2 openbsd-aff767284618e4bdc4cd19a50549d4be09b39c36.zip | |
If CPU does not support AES-NI, LibreSSL TLS 1.3 client prefers
chacha-poly over aes-gcm. Expect both fallbacks for non 1.3 ciphers.
| -rw-r--r-- | src/regress/lib/libssl/interop/cipher/Makefile | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile index 49c267c705..4ad2dbe39b 100644 --- a/src/regress/lib/libssl/interop/cipher/Makefile +++ b/src/regress/lib/libssl/interop/cipher/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.4 2020/09/11 22:48:00 bluhm Exp $ | 1 | # $OpenBSD: Makefile,v 1.5 2020/09/12 15:48:30 bluhm Exp $ |
| 2 | 2 | ||
| 3 | # Connect a client to a server. Both can be current libressl, or | 3 | # Connect a client to a server. Both can be current libressl, or |
| 4 | # openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers | 4 | # openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers |
| @@ -130,20 +130,29 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \ | |||
| 130 | .if "${clib}" != "openssl" && "${slib}" != "openssl" && \ | 130 | .if "${clib}" != "openssl" && "${slib}" != "openssl" && \ |
| 131 | "${cipher:C/AEAD-(AES.*-GCM|CHACHA.*-POLY.*)-SHA.*/TLS1_3/}" != TLS1_3 | 131 | "${cipher:C/AEAD-(AES.*-GCM|CHACHA.*-POLY.*)-SHA.*/TLS1_3/}" != TLS1_3 |
| 132 | # client and server 1.3 capable, not TLS 1.3 cipher | 132 | # client and server 1.3 capable, not TLS 1.3 cipher |
| 133 | .if "${clib}" == "openssl11" | 133 | . if "${clib}" == "libressl" |
| 134 | # libressl client may prefer chacha-poly if aes-ni is not supported | ||
| 135 | egrep -q ' Cipher *: AEAD-(AES256-GCM-SHA384|CHACHA20-POLY1305-SHA256)$$' ${@:S/^check/client/}.out | ||
| 136 | . else | ||
| 134 | # openssl 1.1 generic client cipher | 137 | # openssl 1.1 generic client cipher |
| 135 | grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/client/}.out | 138 | grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/client/}.out |
| 136 | .else | 139 | . endif |
| 137 | # libressl generic client cipher | 140 | . if "${clib}" == "libressl" |
| 138 | grep -q ' Cipher *: AEAD-AES256-GCM-SHA384$$' ${@:S/^check/client/}.out | 141 | # libressl client may prefer chacha-poly if aes-ni is not supported |
| 139 | .endif | 142 | . if "${slib}" == "openssl11" |
| 140 | .if "${slib}" == "openssl11" | 143 | egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out |
| 144 | . else | ||
| 145 | egrep -q ' Cipher *: AEAD-(AES256-GCM-SHA384|CHACHA20-POLY1305-SHA256)$$' ${@:S/^check/server/}.out | ||
| 146 | . endif | ||
| 147 | . else | ||
| 148 | . if "${slib}" == "openssl11" | ||
| 141 | # openssl 1.1 generic server cipher | 149 | # openssl 1.1 generic server cipher |
| 142 | grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/server/}.out | 150 | grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/server/}.out |
| 143 | .else | 151 | . else |
| 144 | # libressl generic server cipher | 152 | # libressl generic server cipher |
| 145 | grep -q ' Cipher *: AEAD-AES256-GCM-SHA384$$' ${@:S/^check/server/}.out | 153 | grep -q ' Cipher *: AEAD-AES256-GCM-SHA384$$' ${@:S/^check/server/}.out |
| 146 | .endif | 154 | . endif |
| 155 | . endif | ||
| 147 | .else | 156 | .else |
| 148 | grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out | 157 | grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out |
| 149 | grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out | 158 | grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out |