Limit the output of the enc -ciphers command to just the ciphers enc can

process.  This means no AEAD ciphers and no XTS mode.

Update the test script that uses this output to test cipher suites to not
filter out the now missing cipher modes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2876)

diff --git a/apps/enc.c b/apps/enc.c
index 94c8255a7764af95a4bd49535f49fed728c11b3f..1b4ec0bc61d1d399dd2bf08713c9db35f8d40a97 100644 (file)
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -563,10 +563,18 @@ static void show_ciphers(const OBJ_NAME *name, void *bio_)
 {
     BIO *bio = bio_;
     static int n;
+    const EVP_CIPHER *cipher;
 
     if (!islower((unsigned char)*name->name))
         return;
 
+    /* Filter out ciphers that we cannot use */
+    cipher = EVP_get_cipherbyname(name->name);
+    if (cipher == NULL ||
+            (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0 ||
+            EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)
+        return;
+
     BIO_printf(bio, "-%-25s", name->name);
     if (++n == 3) {
         BIO_printf(bio, "\n");

diff --git a/test/recipes/20-test_enc_more.t b/test/recipes/20-test_enc_more.t
index 2ea6897529590d271a95530e92c6422d8831fd7b..1419ddb5c37d63c00d76bb96b05f19550aa20970 100644 (file)
--- a/test/recipes/20-test_enc_more.t
+++ b/test/recipes/20-test_enc_more.t
@@ -29,7 +29,7 @@ my $fail = "";
 my $cmd = "openssl";
 
 my @ciphers =
-    grep(! /wrap|hmac|poly|ocb|xts|^$|^[^-]|(?i)[cg]cm/,
+    grep(! /wrap|^$|^[^-]/,
          (map { split /\s+/ }
               run(app([$cmd, "enc", "-ciphers"]), capture => 1)));