From aff767284618e4bdc4cd19a50549d4be09b39c36 Mon Sep 17 00:00:00 2001
From: bluhm <>
Date: Sat, 12 Sep 2020 15:48:30 +0000
Subject: If CPU does not support AES-NI, LibreSSL TLS 1.3 client prefers
 chacha-poly over aes-gcm.  Expect both fallbacks for non 1.3 ciphers.

---
 src/regress/lib/libssl/interop/cipher/Makefile | 27 +++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

(limited to 'src')

diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
index 49c267c705..4ad2dbe39b 100644
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.4 2020/09/11 22:48:00 bluhm Exp $
+# $OpenBSD: Makefile,v 1.5 2020/09/12 15:48:30 bluhm Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.0.2, or openssl 1.1.  Create lists of supported ciphers
@@ -130,20 +130,29 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \
 .if "${clib}" != "openssl" && "${slib}" != "openssl" && \
     "${cipher:C/AEAD-(AES.*-GCM|CHACHA.*-POLY.*)-SHA.*/TLS1_3/}" != TLS1_3
 	# client and server 1.3 capable, not TLS 1.3 cipher
-.if "${clib}" == "openssl11"
+. if "${clib}" == "libressl"
+	# libressl client may prefer chacha-poly if aes-ni is not supported
+	egrep -q ' Cipher *: AEAD-(AES256-GCM-SHA384|CHACHA20-POLY1305-SHA256)$$' ${@:S/^check/client/}.out
+. else
 	# openssl 1.1 generic client cipher
 	grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/client/}.out
-.else
-	# libressl generic client cipher
-	grep -q ' Cipher *: AEAD-AES256-GCM-SHA384$$' ${@:S/^check/client/}.out
-.endif
-.if "${slib}" == "openssl11"
+. endif
+. if "${clib}" == "libressl"
+	# libressl client may prefer chacha-poly if aes-ni is not supported
+.  if "${slib}" == "openssl11"
+	egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
+.  else
+	egrep -q ' Cipher *: AEAD-(AES256-GCM-SHA384|CHACHA20-POLY1305-SHA256)$$' ${@:S/^check/server/}.out
+.  endif
+. else
+.  if "${slib}" == "openssl11"
 	# openssl 1.1 generic server cipher
 	grep -q ' Cipher *: TLS_AES_256_GCM_SHA384$$' ${@:S/^check/server/}.out
-.else
+.  else
 	# libressl generic server cipher
 	grep -q ' Cipher *: AEAD-AES256-GCM-SHA384$$' ${@:S/^check/server/}.out
-.endif
+.  endif
+. endif
 .else
 	grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out
 	grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
-- 
cgit v1.2.3-55-g6feb