const char *srvrciphers;
const char *srvrtls13ciphers;
const char *shared;
+ const char *fipsshared;
} shared_ciphers_data[] = {
/*
* We can't establish a connection (even in TLSv1.1) with these ciphersuites if
NULL,
"AES256-SHA:DHE-RSA-AES128-SHA",
NULL,
+ "AES256-SHA",
"AES256-SHA"
},
+# if !defined(OPENSSL_NO_CHACHA) \
+ && !defined(OPENSSL_NO_POLY1305) \
+ && !defined(OPENSSL_NO_EC)
+ {
+ TLS1_2_VERSION,
+ "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
+ NULL,
+ "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
+ NULL,
+ "AES128-SHA:ECDHE-RSA-CHACHA20-POLY1305",
+ "AES128-SHA"
+ },
+# endif
{
TLS1_2_VERSION,
"AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA",
NULL,
"AES128-SHA:DHE-RSA-AES256-SHA:AES256-SHA",
NULL,
+ "AES128-SHA:AES256-SHA",
"AES128-SHA:AES256-SHA"
},
{
NULL,
"AES128-SHA:DHE-RSA-AES128-SHA",
NULL,
+ "AES128-SHA",
"AES128-SHA"
},
#endif
"AES256-SHA:AES128-SHA256",
NULL,
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:"
- "TLS_AES_128_GCM_SHA256:AES256-SHA"
+ "TLS_AES_128_GCM_SHA256:AES256-SHA",
+ "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:AES256-SHA"
},
#endif
#ifndef OPENSSL_NO_TLS1_3
"TLS_AES_256_GCM_SHA384",
"AES256-SHA",
"TLS_AES_256_GCM_SHA384",
+ "TLS_AES_256_GCM_SHA384",
"TLS_AES_256_GCM_SHA384"
},
#endif
};
-static int test_ssl_get_shared_ciphers(int tst)
+static int int_test_ssl_get_shared_ciphers(int tst, int clnt)
{
SSL_CTX *cctx = NULL, *sctx = NULL;
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
char buf[1024];
+ OPENSSL_CTX *tmplibctx = OPENSSL_CTX_new();
+
+ if (!TEST_ptr(tmplibctx))
+ goto end;
+
+ /*
+ * Regardless of whether we're testing with the FIPS provider loaded into
+ * libctx, we want one peer to always use the full set of ciphersuites
+ * available. Therefore we use a separate libctx with the default provider
+ * loaded into it. We run the same tests twice - once with the client side
+ * having the full set of ciphersuites and once with the server side.
+ */
+ if (clnt) {
+ cctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_client_method());
+ if (!TEST_ptr(cctx))
+ goto end;
+ } else {
+ sctx = SSL_CTX_new_with_libctx(tmplibctx, NULL, TLS_server_method());
+ if (!TEST_ptr(sctx))
+ goto end;
+ }
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
goto end;
if (!TEST_ptr(SSL_get_shared_ciphers(serverssl, buf, sizeof(buf)))
- || !TEST_int_eq(strcmp(buf, shared_ciphers_data[tst].shared), 0)) {
+ || !TEST_int_eq(strcmp(buf,
+ is_fips
+ ? shared_ciphers_data[tst].fipsshared
+ : shared_ciphers_data[tst].shared),
+ 0)) {
TEST_info("Shared ciphers are: %s\n", buf);
goto end;
}
SSL_free(clientssl);
SSL_CTX_free(sctx);
SSL_CTX_free(cctx);
+ OPENSSL_CTX_free(tmplibctx);
return testresult;
}
+static int test_ssl_get_shared_ciphers(int tst)
+{
+ return int_test_ssl_get_shared_ciphers(tst, 0)
+ && int_test_ssl_get_shared_ciphers(tst, 1);
+}
+
+
static const char *appdata = "Hello World";
static int gen_tick_called, dec_tick_called, tick_key_cb_called;
static int tick_key_renew = 0;
projects / oweals / openssl.git / commitdiff