From: tb <tb@openbsd.org>
Date: Sat, 5 Feb 2022 18:34:06 +0000 (+0000)
Subject: Add a workaround due to OpenSSL's limitation of SSL_CTX_set_cipher_list
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=dd9b82d8fab95544b5e8117b3f59d5e41c37b61d;p=openbsd

Add a workaround due to OpenSSL's limitation of SSL_CTX_set_cipher_list

SSL_CTX_set_cipher_list() in OpenSSL 1.1 does not accept TLSv1.3 ciphers.
This wasn't a problem until now since the AEAD- ciphers were counted as
distinct from TLS_ ciphers by the regress test, so they were never used
in the {run,check}-cipher-${cipher}-client-${clib}-server-${slib} tests

With the renaming, the TLSv1.3 ciphers are now considered as common
ciphers, so they're tested. With openssl11 this results in

0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2573:

The design of these tests doesn't allow easily adding a call to
SSL_CTX_set_ciphersuites (since they also need to work with openssl 1.0.2)
so skip the TLS_* ciphers for the time being.
---

diff --git a/regress/lib/libssl/interop/cipher/Makefile b/regress/lib/libssl/interop/cipher/Makefile
index 77ed0f7ebef..bfe8cfea7ae 100644
--- a/regress/lib/libssl/interop/cipher/Makefile
+++ b/regress/lib/libssl/interop/cipher/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.8 2022/02/05 18:21:09 tb Exp $
+# $OpenBSD: Makefile,v 1.9 2022/02/05 18:34:06 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.0.2, or openssl 1.1.  Create lists of supported ciphers
@@ -52,6 +52,10 @@ client-${clib}-server-${slib}.ciphers: \
 	uniq -d <$@.tmp >$@
 	# we are only interested in ciphers supported by libressl
 	sort $@ client-libressl.ciphers >$@.tmp
+. if "${clib}" == "openssl11" || "${slib}" == "openssl11"
+	# OpenSSL 1.1's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
+	sed -i '/^TLS_/d' $@.tmp
+. endif
 	uniq -d <$@.tmp >$@
 	rm $@.tmp
 .endfor