Limit the output of the enc -ciphers command to just the ciphers enc can

process. This means no AEAD ciphers and no XTS mode. Update the test script that uses this output to test cipher suites to not filter out the now missing cipher modes. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2876)
2017-03-08 11:18:55 +10:00 · 2017-03-08 11:18:55 +10:00 · 777f1708a8
commit 777f1708a8
parent 6aad939368
2 changed files with 9 additions and 1 deletions
--- a/apps/enc.c
+++ b/apps/enc.c
@ -563,10 +563,18 @@ static void show_ciphers(const OBJ_NAME *name, void *bio_)
 {
    BIO *bio = bio_;
    static int n;
+    const EVP_CIPHER *cipher;

    if (!islower((unsigned char)*name->name))
        return;

+    /* Filter out ciphers that we cannot use */
+    cipher = EVP_get_cipherbyname(name->name);
+    if (cipher == NULL ||
+            (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0 ||
+            EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)
+        return;
+
    BIO_printf(bio, "-%-25s", name->name);
    if (++n == 3) {
        BIO_printf(bio, "\n");
--- a/test/recipes/20-test_enc_more.t
+++ b/test/recipes/20-test_enc_more.t
@ -29,7 +29,7 @@ my $fail = "";
 my $cmd = "openssl";

 my @ciphers =
-    grep(! /wrap|hmac|poly|ocb|xts|^$|^[^-]|(?i)[cg]cm/,
+    grep(! /wrap|^$|^[^-]/,
         (map { split /\s+/ }
              run(app([$cmd, "enc", "-ciphers"]), capture => 1)));