[openssl] master update

bernd.edlinger at hotmail.de bernd.edlinger at hotmail.de
Wed Oct 6 13:21:14 UTC 2021


The branch master has been updated
       via  64da15c40d15aac58e211fd25d00e9ae84d0379b (commit)
       via  39ed07454d8df794a36e2b6788043842a22b0909 (commit)
      from  6f6a5e0c7c41b6b3639e51f435cd98bb3ae061bc (commit)


- Log -----------------------------------------------------------------
commit 64da15c40d15aac58e211fd25d00e9ae84d0379b
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Sun May 24 16:14:02 2020 +0200

    Replace the AES-128-CBC-HMAC-SHA1 cipher in e_ossltest.c
    
    This replaces the AES-128-CBC-HMAC-SHA1 cipher with a
    non-encrypting version for use the test suite.
    
    [extended tests]
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16693)

commit 39ed07454d8df794a36e2b6788043842a22b0909
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Sun May 24 11:11:27 2020 +0200

    Remove OPENSSL_ia32cap overrides in various test scripts
    
    The removed override was: OPENSSL_ia32cap=~0x200000200000000
    which disables AESNI codepaths and PCLMULQDQ (useful for ghash).
    It is unclear why this was done, but it probably just hides bugs.
    
    [extended tests]
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16693)

-----------------------------------------------------------------------

Summary of changes:
 engines/e_ossltest.c                  | 216 +++++++++++++++++++++++++++++++---
 ssl/record/ssl3_record.c              |  23 +---
 ssl/record/tls_pad.c                  |   2 -
 ssl/tls_depr.c                        |  10 +-
 test/recipes/70-test_comp.t           |   2 -
 test/recipes/70-test_key_share.t      |   2 -
 test/recipes/70-test_renegotiation.t  |   1 -
 test/recipes/70-test_sslcbcpadding.t  |   1 -
 test/recipes/70-test_sslcertstatus.t  |   1 -
 test/recipes/70-test_sslextension.t   |   1 -
 test/recipes/70-test_sslmessages.t    |   2 -
 test/recipes/70-test_sslrecords.t     |   1 -
 test/recipes/70-test_sslsessiontick.t |   2 -
 test/recipes/70-test_sslsigalgs.t     |   1 -
 test/recipes/70-test_sslsignature.t   |   1 -
 test/recipes/70-test_sslskewith0p.t   |   1 -
 test/recipes/70-test_sslversions.t    |   2 -
 test/recipes/70-test_sslvertol.t      |   1 -
 test/recipes/70-test_tls13alerts.t    |   2 -
 test/recipes/70-test_tls13cookie.t    |   2 -
 test/recipes/70-test_tls13downgrade.t |   2 -
 test/recipes/70-test_tls13hrr.t       |   2 -
 test/recipes/70-test_tls13kexmodes.t  |   3 -
 test/recipes/70-test_tls13messages.t  |   2 -
 test/recipes/70-test_tls13psk.t       |   2 -
 test/recipes/70-test_tlsextms.t       |   2 -
 26 files changed, 210 insertions(+), 77 deletions(-)

diff --git a/engines/e_ossltest.c b/engines/e_ossltest.c
index 8479414f01..0506faa628 100644
--- a/engines/e_ossltest.c
+++ b/engines/e_ossltest.c
@@ -38,6 +38,7 @@
 #include <openssl/rand.h>
 #include <openssl/crypto.h>
 #include <openssl/pem.h>
+#include <crypto/evp.h>
 
 #include "e_ossltest_err.c"
 
@@ -247,21 +248,39 @@ static int ossltest_ciphers(ENGINE *, const EVP_CIPHER **,
                             const int **, int);
 
 static int ossltest_cipher_nids[] = {
-    NID_aes_128_cbc, NID_aes_128_gcm, 0
+    NID_aes_128_cbc, NID_aes_128_gcm,
+    NID_aes_128_cbc_hmac_sha1, 0
 };
 
 /* AES128 */
 
-int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-                             const unsigned char *iv, int enc);
-int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                               const unsigned char *in, size_t inl);
-int ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-                             const unsigned char *iv, int enc);
-int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                               const unsigned char *in, size_t inl);
+static int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx,
+                                    const unsigned char *key,
+                                    const unsigned char *iv, int enc);
+static int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                      const unsigned char *in, size_t inl);
+static int ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX *ctx,
+                                        const unsigned char *key,
+                                        const unsigned char *iv, int enc);
+static int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                      const unsigned char *in, size_t inl);
 static int ossltest_aes128_gcm_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
                                     void *ptr);
+static int ossltest_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
+                                                  const unsigned char *key,
+                                                  const unsigned char *iv,
+                                                  int enc);
+static int ossltest_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx,
+                                                unsigned char *out,
+                                                const unsigned char *in,
+                                                size_t inl);
+static int ossltest_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
+                                              int arg, void *ptr);
+
+typedef struct {
+    size_t payload_length;      /* AAD length in decrypt case */
+    unsigned int tls_ver;
+} EVP_AES_HMAC_SHA1;
 
 static EVP_CIPHER *_hidden_aes_128_cbc = NULL;
 static const EVP_CIPHER *ossltest_aes_128_cbc(void)
@@ -285,6 +304,7 @@ static const EVP_CIPHER *ossltest_aes_128_cbc(void)
     }
     return _hidden_aes_128_cbc;
 }
+
 static EVP_CIPHER *_hidden_aes_128_gcm = NULL;
 
 #define AES_GCM_FLAGS   (EVP_CIPH_FLAG_DEFAULT_ASN1 \
@@ -315,11 +335,45 @@ static const EVP_CIPHER *ossltest_aes_128_gcm(void)
     return _hidden_aes_128_gcm;
 }
 
+static EVP_CIPHER *_hidden_aes_128_cbc_hmac_sha1 = NULL;
+
+static const EVP_CIPHER *ossltest_aes_128_cbc_hmac_sha1(void)
+{
+    if (_hidden_aes_128_cbc_hmac_sha1 == NULL
+        && ((_hidden_aes_128_cbc_hmac_sha1
+             = EVP_CIPHER_meth_new(NID_aes_128_cbc_hmac_sha1,
+                                   16 /* block size */,
+                                   16 /* key len */)) == NULL
+            || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc_hmac_sha1,16)
+            || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc_hmac_sha1,
+                   EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
+                   EVP_CIPH_FLAG_AEAD_CIPHER)
+            || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc_hmac_sha1,
+                   ossltest_aes128_cbc_hmac_sha1_init_key)
+            || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc_hmac_sha1,
+                   ossltest_aes128_cbc_hmac_sha1_cipher)
+            || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_128_cbc_hmac_sha1,
+                                         ossltest_aes128_cbc_hmac_sha1_ctrl)
+            || !EVP_CIPHER_meth_set_set_asn1_params(_hidden_aes_128_cbc_hmac_sha1,
+                   EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_set_asn1_iv)
+            || !EVP_CIPHER_meth_set_get_asn1_params(_hidden_aes_128_cbc_hmac_sha1,
+                   EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_get_asn1_iv)
+            || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc_hmac_sha1,
+                   sizeof(EVP_AES_HMAC_SHA1)))) {
+        EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1);
+        _hidden_aes_128_cbc_hmac_sha1 = NULL;
+    }
+    return _hidden_aes_128_cbc_hmac_sha1;
+}
+
 static void destroy_ciphers(void)
 {
     EVP_CIPHER_meth_free(_hidden_aes_128_cbc);
     EVP_CIPHER_meth_free(_hidden_aes_128_gcm);
+    EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1);
     _hidden_aes_128_cbc = NULL;
+    _hidden_aes_128_gcm = NULL;
+    _hidden_aes_128_cbc_hmac_sha1 = NULL;
 }
 
 /* Key loading */
@@ -490,6 +544,9 @@ static int ossltest_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
     case NID_aes_128_gcm:
         *cipher = ossltest_aes_128_gcm();
         break;
+    case NID_aes_128_cbc_hmac_sha1:
+        *cipher = ossltest_aes_128_cbc_hmac_sha1();
+        break;
     default:
         ok = 0;
         *cipher = NULL;
@@ -634,14 +691,15 @@ static int digest_sha512_final(EVP_MD_CTX *ctx, unsigned char *md)
  * AES128 Implementation
  */
 
-int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-                             const unsigned char *iv, int enc)
+static int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx,
+                                    const unsigned char *key,
+                                    const unsigned char *iv, int enc)
 {
     return EVP_CIPHER_meth_get_init(EVP_aes_128_cbc()) (ctx, key, iv, enc);
 }
 
-int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                               const unsigned char *in, size_t inl)
+static int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                      const unsigned char *in, size_t inl)
 {
     unsigned char *tmpbuf;
     int ret;
@@ -667,15 +725,15 @@ int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     return ret;
 }
 
-int ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-                             const unsigned char *iv, int enc)
+static int ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX *ctx,
+                                        const unsigned char *key,
+                                        const unsigned char *iv, int enc)
 {
     return EVP_CIPHER_meth_get_init(EVP_aes_128_gcm()) (ctx, key, iv, enc);
 }
 
-
-int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-                               const unsigned char *in, size_t inl)
+static int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                                      const unsigned char *in, size_t inl)
 {
     unsigned char *tmpbuf = OPENSSL_malloc(inl);
 
@@ -720,6 +778,128 @@ static int ossltest_aes128_gcm_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
     return 1;
 }
 
+#define NO_PAYLOAD_LENGTH       ((size_t)-1)
+# define data(ctx) ((EVP_AES_HMAC_SHA1 *)EVP_CIPHER_CTX_get_cipher_data(ctx))
+
+static int ossltest_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
+                                                  const unsigned char *inkey,
+                                                  const unsigned char *iv,
+                                                  int enc)
+{
+    EVP_AES_HMAC_SHA1 *key = data(ctx);
+    key->payload_length = NO_PAYLOAD_LENGTH;
+    return 1;
+}
+
+static int ossltest_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx,
+                                                unsigned char *out,
+                                                const unsigned char *in,
+                                                size_t len)
+{
+    EVP_AES_HMAC_SHA1 *key = data(ctx);
+    unsigned int l;
+    size_t plen = key->payload_length;
+
+    key->payload_length = NO_PAYLOAD_LENGTH;
+
+    if (len % AES_BLOCK_SIZE)
+        return 0;
+
+    if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
+        if (plen == NO_PAYLOAD_LENGTH)
+            plen = len;
+        else if (len !=
+                 ((plen + SHA_DIGEST_LENGTH +
+                   AES_BLOCK_SIZE) & -AES_BLOCK_SIZE))
+            return 0;
+
+        memmove(out, in, plen);
+
+        if (plen != len) {      /* "TLS" mode of operation */
+            /* calculate HMAC and append it to payload */
+            fill_known_data(out + plen, SHA_DIGEST_LENGTH);
+
+            /* pad the payload|hmac */
+            plen += SHA_DIGEST_LENGTH;
+            for (l = len - plen - 1; plen < len; plen++)
+                out[plen] = l;
+        }
+    } else {
+        /* decrypt HMAC|padding at once */
+        memmove(out, in, len);
+
+        if (plen != NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */
+            unsigned int maxpad, pad;
+
+            if (key->tls_ver >= TLS1_1_VERSION) {
+                if (len < (AES_BLOCK_SIZE + SHA_DIGEST_LENGTH + 1))
+                    return 0;
+
+                /* omit explicit iv */
+                in += AES_BLOCK_SIZE;
+                out += AES_BLOCK_SIZE;
+                len -= AES_BLOCK_SIZE;
+            } else if (len < (SHA_DIGEST_LENGTH + 1))
+                return 0;
+
+            /* figure out payload length */
+            pad = out[len - 1];
+            maxpad = len - (SHA_DIGEST_LENGTH + 1);
+            if (pad > maxpad)
+                return 0;
+            for (plen = len - pad - 1; plen < len; plen++)
+                if (out[plen] != pad)
+                    return 0;
+        }
+    }
+
+    return 1;
+}
+
+static int ossltest_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
+                                              int arg, void *ptr)
+{
+    EVP_AES_HMAC_SHA1 *key = data(ctx);
+
+    switch (type) {
+    case EVP_CTRL_AEAD_SET_MAC_KEY:
+        return 1;
+
+    case EVP_CTRL_AEAD_TLS1_AAD:
+        {
+            unsigned char *p = ptr;
+            unsigned int len;
+
+            if (arg != EVP_AEAD_TLS1_AAD_LEN)
+                return -1;
+
+            len = p[arg - 2] << 8 | p[arg - 1];
+            key->tls_ver = p[arg - 4] << 8 | p[arg - 3];
+
+            if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
+                key->payload_length = len;
+                if (key->tls_ver >= TLS1_1_VERSION) {
+                    if (len < AES_BLOCK_SIZE)
+                        return 0;
+                    len -= AES_BLOCK_SIZE;
+                    p[arg - 2] = len >> 8;
+                    p[arg - 1] = len;
+                }
+
+                return (int)(((len + SHA_DIGEST_LENGTH +
+                               AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)
+                             - len);
+            } else {
+                key->payload_length = arg;
+
+                return SHA_DIGEST_LENGTH;
+            }
+        }
+    default:
+        return -1;
+    }
+}
+
 static int ossltest_rand_bytes(unsigned char *buf, int num)
 {
     unsigned char val = 1;
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index b6ac61e0e8..c713f231ca 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1218,23 +1218,17 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
             }
 
             if (!sending) {
-                /* Adjust the record to remove the explicit IV/MAC/Tag */
-                if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) {
-                    for (ctr = 0; ctr < n_recs; ctr++) {
+                for (ctr = 0; ctr < n_recs; ctr++) {
+                    /* Adjust the record to remove the explicit IV/MAC/Tag */
+                    if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_GCM_MODE) {
                         recs[ctr].data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
                         recs[ctr].input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
                         recs[ctr].length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
-                    }
-                } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) {
-                    for (ctr = 0; ctr < n_recs; ctr++) {
+                    } else if (EVP_CIPHER_get_mode(enc) == EVP_CIPH_CCM_MODE) {
                         recs[ctr].data += EVP_CCM_TLS_EXPLICIT_IV_LEN;
                         recs[ctr].input += EVP_CCM_TLS_EXPLICIT_IV_LEN;
                         recs[ctr].length -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
-                    }
-                }
-
-                for (ctr = 0; ctr < n_recs; ctr++) {
-                    if (bs != 1 && SSL_USE_EXPLICIT_IV(s)) {
+                    } else if (bs != 1 && SSL_USE_EXPLICIT_IV(s)) {
                         if (recs[ctr].length < bs)
                             return 0;
                         recs[ctr].data += bs;
@@ -1254,17 +1248,12 @@ int tls1_enc(SSL *s, SSL3_RECORD *recs, size_t n_recs, int sending,
                                          (macs != NULL) ? &macs[ctr].alloced
                                                         : NULL,
                                          bs,
-                                         macsize,
+                                         pad ? (size_t)pad : macsize,
                                          (EVP_CIPHER_get_flags(enc)
                                          & EVP_CIPH_FLAG_AEAD_CIPHER) != 0,
                                          s->ctx->libctx))
                         return 0;
                 }
-                if (pad) {
-                    for (ctr = 0; ctr < n_recs; ctr++) {
-                        recs[ctr].length -= pad;
-                    }
-                }
             }
         }
     }
diff --git a/ssl/record/tls_pad.c b/ssl/record/tls_pad.c
index 46614e143b..528c605554 100644
--- a/ssl/record/tls_pad.c
+++ b/ssl/record/tls_pad.c
@@ -138,8 +138,6 @@ int tls1_cbc_remove_padding_and_mac(size_t *reclen,
         if (aead) {
             /* padding is already verified and we don't need to check the MAC */
             *reclen -= padding_length + 1 + mac_size;
-            *mac = NULL;
-            *alloced = 0;
             return 1;
         }
 
diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c
index 0b21ff7669..1761ba1d8e 100644
--- a/ssl/tls_depr.c
+++ b/ssl/tls_depr.c
@@ -27,6 +27,7 @@ void tls_engine_finish(ENGINE *e)
 
 const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
 {
+    const EVP_CIPHER *ret = NULL;
 #ifndef OPENSSL_NO_ENGINE
     ENGINE *eng;
 
@@ -36,15 +37,16 @@ const EVP_CIPHER *tls_get_cipher_from_engine(int nid)
      */
     eng = ENGINE_get_cipher_engine(nid);
     if (eng != NULL) {
+        ret = ENGINE_get_cipher(eng, nid);
         ENGINE_finish(eng);
-        return EVP_get_cipherbynid(nid);
     }
 #endif
-    return NULL;
+    return ret;
 }
 
 const EVP_MD *tls_get_digest_from_engine(int nid)
 {
+    const EVP_MD *ret = NULL;
 #ifndef OPENSSL_NO_ENGINE
     ENGINE *eng;
 
@@ -54,11 +56,11 @@ const EVP_MD *tls_get_digest_from_engine(int nid)
      */
     eng = ENGINE_get_digest_engine(nid);
     if (eng != NULL) {
+        ret = ENGINE_get_digest(eng, nid);
         ENGINE_finish(eng);
-        return EVP_get_digestbynid(nid);
     }
 #endif
-    return NULL;
+    return ret;
 }
 
 #ifndef OPENSSL_NO_ENGINE
diff --git a/test/recipes/70-test_comp.t b/test/recipes/70-test_comp.t
index eeee29ac5c..11c70705f7 100644
--- a/test/recipes/70-test_comp.t
+++ b/test/recipes/70-test_comp.t
@@ -27,8 +27,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLSv1.3 or TLSv1.2 enabled"
     if disabled("tls1_3") && disabled("tls1_2");
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
 use constant {
     MULTIPLE_COMPRESSIONS => 0,
     NON_NULL_COMPRESSION => 1
diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t
index ec722c7fcd..7fb8cba73a 100644
--- a/test/recipes/70-test_key_share.t
+++ b/test/recipes/70-test_key_share.t
@@ -63,8 +63,6 @@ plan skip_all => "$test_name needs TLS1.3 enabled"
 plan skip_all => "$test_name needs EC or DH enabled"
     if disabled("ec") && disabled("dh");
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
 my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_renegotiation.t b/test/recipes/70-test_renegotiation.t
index b7bc9c025a..37fbfd5854 100644
--- a/test/recipes/70-test_renegotiation.t
+++ b/test/recipes/70-test_renegotiation.t
@@ -28,7 +28,6 @@ plan skip_all => "$test_name needs TLS <= 1.2 enabled"
 
 plan tests => 5;
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_sslcbcpadding.t b/test/recipes/70-test_sslcbcpadding.t
index 7a1b3ba995..c24f315c60 100644
--- a/test/recipes/70-test_sslcbcpadding.t
+++ b/test/recipes/70-test_sslcbcpadding.t
@@ -28,7 +28,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLSv1.2 enabled"
     if disabled("tls1_2");
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
     \&add_maximal_padding_filter,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_sslcertstatus.t b/test/recipes/70-test_sslcertstatus.t
index 41c112ae6d..44b3839b95 100644
--- a/test/recipes/70-test_sslcertstatus.t
+++ b/test/recipes/70-test_sslcertstatus.t
@@ -30,7 +30,6 @@ plan skip_all => "$test_name needs TLS enabled"
     if alldisabled(available_protocols("tls"))
        || (!disabled("tls1_3") && disabled("tls1_2"));
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
     \&certstatus_filter,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t
index c1893b8f06..37fba871e9 100644
--- a/test/recipes/70-test_sslextension.t
+++ b/test/recipes/70-test_sslextension.t
@@ -41,7 +41,6 @@ use constant {
 my $testtype;
 my $fatal_alert = 0;    # set by filter on fatal alert
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
     \&inject_duplicate_extension_clienthello,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_sslmessages.t b/test/recipes/70-test_sslmessages.t
index abb0f5aff9..0afb700679 100644
--- a/test/recipes/70-test_sslmessages.t
+++ b/test/recipes/70-test_sslmessages.t
@@ -29,8 +29,6 @@ plan skip_all => "$test_name needs TLS enabled"
     if alldisabled(available_protocols("tls"))
        || (!disabled("tls1_3") && disabled("tls1_2"));
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
 my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_sslrecords.t b/test/recipes/70-test_sslrecords.t
index 318c9235b0..30d9136bbc 100644
--- a/test/recipes/70-test_sslrecords.t
+++ b/test/recipes/70-test_sslrecords.t
@@ -28,7 +28,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLSv1.2 enabled"
     if disabled("tls1_2");
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
     \&add_empty_recs_filter,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_sslsessiontick.t b/test/recipes/70-test_sslsessiontick.t
index ad14577470..10ebe8cf33 100644
--- a/test/recipes/70-test_sslsessiontick.t
+++ b/test/recipes/70-test_sslsessiontick.t
@@ -27,8 +27,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled"
     if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2"));
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
 sub checkmessages($$$$$$);
 sub clearclient();
 sub clearall();
diff --git a/test/recipes/70-test_sslsigalgs.t b/test/recipes/70-test_sslsigalgs.t
index 48b9e43c3b..998dcc3794 100644
--- a/test/recipes/70-test_sslsigalgs.t
+++ b/test/recipes/70-test_sslsigalgs.t
@@ -26,7 +26,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLS1.2 or TLS1.3 enabled"
     if disabled("tls1_2") && disabled("tls1_3");
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_sslsignature.t b/test/recipes/70-test_sslsignature.t
index a9a77d5b8f..d27685bbec 100644
--- a/test/recipes/70-test_sslsignature.t
+++ b/test/recipes/70-test_sslsignature.t
@@ -26,7 +26,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLS enabled"
     if alldisabled(available_protocols("tls"));
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_sslskewith0p.t b/test/recipes/70-test_sslskewith0p.t
index 9d2442fa12..c53925dcdd 100644
--- a/test/recipes/70-test_sslskewith0p.t
+++ b/test/recipes/70-test_sslskewith0p.t
@@ -29,7 +29,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLS enabled"
     if alldisabled(available_protocols("tls"));
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
     \&ske_0_p_filter,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_sslversions.t b/test/recipes/70-test_sslversions.t
index 2123860d9c..66b5606db5 100644
--- a/test/recipes/70-test_sslversions.t
+++ b/test/recipes/70-test_sslversions.t
@@ -42,8 +42,6 @@ plan skip_all => "$test_name needs TLS1.3, TLS1.2 and TLS1.1 enabled"
        || disabled("tls1_2")
        || disabled("tls1_1");
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
 my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_sslvertol.t b/test/recipes/70-test_sslvertol.t
index d41085c9ec..073df9ad84 100644
--- a/test/recipes/70-test_sslvertol.t
+++ b/test/recipes/70-test_sslvertol.t
@@ -26,7 +26,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLS enabled"
     if alldisabled(available_protocols("tls"));
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
 my $proxy = TLSProxy::Proxy->new(
     \&vers_tolerance_filter,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_tls13alerts.t b/test/recipes/70-test_tls13alerts.t
index 44d026c202..e71fd23edb 100644
--- a/test/recipes/70-test_tls13alerts.t
+++ b/test/recipes/70-test_tls13alerts.t
@@ -26,8 +26,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLS1.3 enabled"
     if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
 my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_tls13cookie.t b/test/recipes/70-test_tls13cookie.t
index a4b2a6222b..cc0cfd3aff 100644
--- a/test/recipes/70-test_tls13cookie.t
+++ b/test/recipes/70-test_tls13cookie.t
@@ -26,8 +26,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLS1.3 enabled"
     if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
 use constant {
     COOKIE_ONLY => 0,
     COOKIE_AND_KEY_SHARE => 1
diff --git a/test/recipes/70-test_tls13downgrade.t b/test/recipes/70-test_tls13downgrade.t
index 9e10a9c9c4..999a79e62a 100644
--- a/test/recipes/70-test_tls13downgrade.t
+++ b/test/recipes/70-test_tls13downgrade.t
@@ -28,8 +28,6 @@ plan skip_all => "$test_name needs TLS1.3 and TLS1.2 enabled"
        || (disabled("ec") && disabled("dh"))
        || disabled("tls1_2");
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
 my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t
index 845d40aed9..da38ae5bd4 100644
--- a/test/recipes/70-test_tls13hrr.t
+++ b/test/recipes/70-test_tls13hrr.t
@@ -26,8 +26,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLS1.3 enabled"
     if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
 my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t
index 6385885057..0d0681a838 100644
--- a/test/recipes/70-test_tls13kexmodes.t
+++ b/test/recipes/70-test_tls13kexmodes.t
@@ -31,9 +31,6 @@ plan skip_all => "$test_name needs TLSv1.3 enabled"
 plan skip_all => "$test_name needs EC enabled"
     if disabled("ec");
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
-
 @handmessages = (
     [TLSProxy::Message::MT_CLIENT_HELLO,
         checkhandshake::ALL_HANDSHAKES],
diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t
index 3113294f06..58b88a3ca8 100644
--- a/test/recipes/70-test_tls13messages.t
+++ b/test/recipes/70-test_tls13messages.t
@@ -31,8 +31,6 @@ plan skip_all => "$test_name needs TLSv1.3 enabled"
 plan skip_all => "$test_name needs EC enabled"
     if disabled("ec");
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
 @handmessages = (
     [TLSProxy::Message::MT_CLIENT_HELLO,
         checkhandshake::ALL_HANDSHAKES],
diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t
index d24d52e35c..f36468de97 100644
--- a/test/recipes/70-test_tls13psk.t
+++ b/test/recipes/70-test_tls13psk.t
@@ -27,8 +27,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLSv1.3 enabled"
     if disabled("tls1_3") || (disabled("ec") && disabled("dh"));
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
 my $proxy = TLSProxy::Proxy->new(
     undef,
     cmdstr(app(["openssl"]), display => 1),
diff --git a/test/recipes/70-test_tlsextms.t b/test/recipes/70-test_tlsextms.t
index 20f980648d..a8b18c5f20 100644
--- a/test/recipes/70-test_tlsextms.t
+++ b/test/recipes/70-test_tlsextms.t
@@ -27,8 +27,6 @@ plan skip_all => "$test_name needs the sock feature enabled"
 plan skip_all => "$test_name needs TLSv1.0, TLSv1.1 or TLSv1.2 enabled"
     if disabled("tls1") && disabled("tls1_1") && disabled("tls1_2");
 
-$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
-
 sub checkmessages($$$$$);
 sub setrmextms($$);
 sub clearall();


More information about the openssl-commits mailing list