From d088fee72c6c848eb7a54184cf3da2535322b93a Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Wed, 21 Jan 2026 18:01:01 -0500 Subject: [PATCH 1/5] Add cipher suite filtering when downgrade is disabled When wolfSSL_SetVersion() is called to set a specific TLS version, the downgrade flag is now set to 0. This causes wolfSSL_parse_cipher_list() to no longer preserve cipher suites from the other TLS version group. Previously, when using SSLv23 method and setting cipher suites for only one TLS version (e.g., TLS 1.2), the library would preserve any existing cipher suites from the other version (e.g., TLS 1.3) for OpenSSL API compatibility. With this change, if a specific version is set via wolfSSL_SetVersion(), only the cipher suites for that version are kept. --- src/ssl.c | 12 +++- tests/api.c | 180 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 191 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index d3961330e..e602e2d84 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5487,6 +5487,8 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version) return BAD_FUNC_ARG; } + ssl->options.downgrade = 0; + #ifdef NO_RSA haveRSA = 0; #endif @@ -9680,7 +9682,15 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, WOLFSSL* ssl, * - SSL_CTX_set_ciphersuites for setting TLS 1.3 suites * Since we direct both API here we attempt to provide API compatibility. If * we only get suites from <= 1.2 or == 1.3 then we will only update those - * suites and keep the suites from the other group. */ + * suites and keep the suites from the other group. + * If downgrade is disabled, skip preserving the other group's suites. */ + if ((ssl != NULL && !ssl->options.downgrade) || + (ctx != NULL && !ctx->method->downgrade)) { + /* Downgrade disabled - don't preserve other group's suites */ + WC_FREE_VAR_EX(suitesCpy, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return ret; + } + for (i = 0; i < suitesCpySz && suites->suiteSz <= (WOLFSSL_MAX_SUITE_SZ - SUITE_LEN); i += 2) { /* Check for duplicates */ diff --git a/tests/api.c b/tests/api.c index ffe0b9efa..452a562c5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2052,6 +2052,182 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void) return EXPECT_RESULT(); } +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ + !defined(WOLFSSL_NO_TLS12) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) +/* Helper function to check if TLS 1.3 suites exist in the suites list */ +static int suites_has_tls13(const byte* suites, word16 suiteSz) +{ + word16 i; + for (i = 0; i < suiteSz; i += 2) { + if (suites[i] == 0x13) { /* TLS13_BYTE */ + return 1; + } + } + return 0; +} + +/* Helper function to check if TLS 1.2 (non-1.3) suites exist in the suites list */ +static int suites_has_tls12(const byte* suites, word16 suiteSz) +{ + word16 i; + for (i = 0; i < suiteSz; i += 2) { + if (suites[i] != 0x13) { /* Not TLS13_BYTE */ + return 1; + } + } + return 0; +} +#endif + +/* Test 1: SSLv23 + set TLS 1.2 cipher -> TLS 1.3 suites should still be there */ +static int test_wolfSSL_set_cipher_list_tls12_keeps_tls13(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ + !defined(WOLFSSL_NO_TLS12) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + defined(HAVE_ECC) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + +#ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#endif + + ExpectNotNull(ssl = wolfSSL_new(ctx)); + + /* Set only a TLS 1.2 cipher suite */ + ExpectIntEQ(wolfSSL_set_cipher_list(ssl, "ECDHE-RSA-AES128-GCM-SHA256"), + WOLFSSL_SUCCESS); + + /* TLS 1.3 suites should still be present (downgrade is enabled) */ + ExpectNotNull(ssl->suites); + ExpectTrue(suites_has_tls13(ssl->suites->suites, ssl->suites->suiteSz)); + /* The TLS 1.2 suite we set should also be there */ + ExpectTrue(suites_has_tls12(ssl->suites->suites, ssl->suites->suiteSz)); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +/* Test 2: SSLv23 + set TLS 1.3 cipher -> TLS 1.2 suites should still be there */ +static int test_wolfSSL_set_cipher_list_tls13_keeps_tls12(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ + !defined(WOLFSSL_NO_TLS12) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + +#ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#endif + + ExpectNotNull(ssl = wolfSSL_new(ctx)); + + /* Set only a TLS 1.3 cipher suite */ + ExpectIntEQ(wolfSSL_set_cipher_list(ssl, "TLS_AES_128_GCM_SHA256"), + WOLFSSL_SUCCESS); + + /* TLS 1.2 suites should still be present (downgrade is enabled) */ + ExpectNotNull(ssl->suites); + ExpectTrue(suites_has_tls12(ssl->suites->suites, ssl->suites->suiteSz)); + /* The TLS 1.3 suite we set should also be there */ + ExpectTrue(suites_has_tls13(ssl->suites->suites, ssl->suites->suiteSz)); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +/* Test 3: SSLv23 + SetVersion(TLS 1.2) + set TLS 1.2 cipher -> only that cipher */ +static int test_wolfSSL_set_cipher_list_tls12_with_version(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ + !defined(WOLFSSL_NO_TLS12) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + defined(HAVE_ECC) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + +#ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#endif + + ExpectNotNull(ssl = wolfSSL_new(ctx)); + + /* Set protocol version to TLS 1.2 (this disables downgrade) */ + ExpectIntEQ(wolfSSL_SetVersion(ssl, WOLFSSL_TLSV1_2), WOLFSSL_SUCCESS); + + /* Set only a TLS 1.2 cipher suite */ + ExpectIntEQ(wolfSSL_set_cipher_list(ssl, "ECDHE-RSA-AES128-GCM-SHA256"), + WOLFSSL_SUCCESS); + + /* Should have only TLS 1.2 suites (no TLS 1.3) since downgrade is disabled */ + ExpectNotNull(ssl->suites); + ExpectFalse(suites_has_tls13(ssl->suites->suites, ssl->suites->suiteSz)); + /* Should have the TLS 1.2 suite we set */ + ExpectTrue(suites_has_tls12(ssl->suites->suites, ssl->suites->suiteSz)); + /* Should have exactly one cipher suite (2 bytes) */ + ExpectIntEQ(ssl->suites->suiteSz, 2); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + +/* Test 4: SSLv23 + SetVersion(TLS 1.3) + set TLS 1.3 cipher -> only that cipher */ +static int test_wolfSSL_set_cipher_list_tls13_with_version(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ + !defined(WOLFSSL_NO_TLS12) && \ + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + +#ifndef NO_WOLFSSL_CLIENT + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#else + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#endif + + ExpectNotNull(ssl = wolfSSL_new(ctx)); + + /* Set protocol version to TLS 1.3 (this disables downgrade) */ + ExpectIntEQ(wolfSSL_SetVersion(ssl, WOLFSSL_TLSV1_3), WOLFSSL_SUCCESS); + + /* Set only a TLS 1.3 cipher suite */ + ExpectIntEQ(wolfSSL_set_cipher_list(ssl, "TLS_AES_128_GCM_SHA256"), + WOLFSSL_SUCCESS); + + /* Should have only TLS 1.3 suites (no TLS 1.2) since downgrade is disabled */ + ExpectNotNull(ssl->suites); + ExpectFalse(suites_has_tls12(ssl->suites->suites, ssl->suites->suiteSz)); + /* Should have the TLS 1.3 suite we set */ + ExpectTrue(suites_has_tls13(ssl->suites->suites, ssl->suites->suiteSz)); + /* Should have exactly one cipher suite (2 bytes) */ + ExpectIntEQ(ssl->suites->suiteSz, 2); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif + return EXPECT_RESULT(); +} + static int test_wolfSSL_CTX_use_certificate(void) { @@ -31522,6 +31698,10 @@ TEST_CASE testCases[] = { TEST_DECL(test_SSL_CIPHER_get_xxx), TEST_DECL(test_wolfSSL_ERR_strings), TEST_DECL(test_wolfSSL_CTX_set_cipher_list_bytes), + TEST_DECL(test_wolfSSL_set_cipher_list_tls12_keeps_tls13), + TEST_DECL(test_wolfSSL_set_cipher_list_tls13_keeps_tls12), + TEST_DECL(test_wolfSSL_set_cipher_list_tls12_with_version), + TEST_DECL(test_wolfSSL_set_cipher_list_tls13_with_version), TEST_DECL(test_wolfSSL_CTX_use_certificate), TEST_DECL(test_wolfSSL_CTX_use_certificate_file), TEST_DECL(test_wolfSSL_CTX_use_certificate_buffer), From 2616fe3ff19aacf62b60cbc7c5dada540b459fe2 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Thu, 22 Jan 2026 22:17:59 -0500 Subject: [PATCH 2/5] Better guards around tests --- tests/api.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/tests/api.c b/tests/api.c index 452a562c5..68c027e3c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2054,7 +2054,8 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + ((!defined(NO_RSA) && defined(HAVE_ECC)) || !defined(NO_ERROR_STRINGS)) /* Helper function to check if TLS 1.3 suites exist in the suites list */ static int suites_has_tls13(const byte* suites, word16 suiteSz) { @@ -2087,7 +2088,7 @@ static int test_wolfSSL_set_cipher_list_tls12_keeps_tls13(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - defined(HAVE_ECC) + defined(HAVE_ECC) && !defined(NO_RSA) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; @@ -2121,7 +2122,8 @@ static int test_wolfSSL_set_cipher_list_tls13_keeps_tls12(void) EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_ERROR_STRINGS) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; @@ -2156,7 +2158,7 @@ static int test_wolfSSL_set_cipher_list_tls12_with_version(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - defined(HAVE_ECC) + defined(HAVE_ECC) && !defined(NO_RSA) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; @@ -2195,7 +2197,8 @@ static int test_wolfSSL_set_cipher_list_tls13_with_version(void) EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) + (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_ERROR_STRINGS) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; From d6985a6ee3d2588fee0e61fb17ac31c0843ffe7e Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Fri, 23 Jan 2026 16:23:44 -0500 Subject: [PATCH 3/5] AES-GCM guard. --- tests/api.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/api.c b/tests/api.c index 68c027e3c..26a4b6aea 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2055,6 +2055,7 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + defined(HAVE_AESGCM) && \ ((!defined(NO_RSA) && defined(HAVE_ECC)) || !defined(NO_ERROR_STRINGS)) /* Helper function to check if TLS 1.3 suites exist in the suites list */ static int suites_has_tls13(const byte* suites, word16 suiteSz) @@ -2088,7 +2089,7 @@ static int test_wolfSSL_set_cipher_list_tls12_keeps_tls13(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - defined(HAVE_ECC) && !defined(NO_RSA) + defined(HAVE_AESGCM) && defined(HAVE_ECC) && !defined(NO_RSA) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; @@ -2123,7 +2124,7 @@ static int test_wolfSSL_set_cipher_list_tls13_keeps_tls12(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - !defined(NO_ERROR_STRINGS) + defined(HAVE_AESGCM) && !defined(NO_ERROR_STRINGS) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; @@ -2158,7 +2159,7 @@ static int test_wolfSSL_set_cipher_list_tls12_with_version(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - defined(HAVE_ECC) && !defined(NO_RSA) + defined(HAVE_AESGCM) && defined(HAVE_ECC) && !defined(NO_RSA) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; @@ -2198,7 +2199,7 @@ static int test_wolfSSL_set_cipher_list_tls13_with_version(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ - !defined(NO_ERROR_STRINGS) + defined(HAVE_AESGCM) && !defined(NO_ERROR_STRINGS) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; From 9a53125794709fab0689392e9f0cb11041a44ccd Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Tue, 27 Jan 2026 11:19:50 -0500 Subject: [PATCH 4/5] Simplify testing gating logic. --- tests/api.c | 30 +++++------------------------- 1 file changed, 5 insertions(+), 25 deletions(-) diff --git a/tests/api.c b/tests/api.c index 26a4b6aea..6cd104fc0 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2054,7 +2054,7 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_WOLFSSL_CLIENT) && \ defined(HAVE_AESGCM) && \ ((!defined(NO_RSA) && defined(HAVE_ECC)) || !defined(NO_ERROR_STRINGS)) /* Helper function to check if TLS 1.3 suites exist in the suites list */ @@ -2088,17 +2088,12 @@ static int test_wolfSSL_set_cipher_list_tls12_keeps_tls13(void) EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_WOLFSSL_CLIENT) && \ defined(HAVE_AESGCM) && defined(HAVE_ECC) && !defined(NO_RSA) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; -#ifndef NO_WOLFSSL_CLIENT ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#endif - ExpectNotNull(ssl = wolfSSL_new(ctx)); /* Set only a TLS 1.2 cipher suite */ @@ -2123,17 +2118,12 @@ static int test_wolfSSL_set_cipher_list_tls13_keeps_tls12(void) EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_WOLFSSL_CLIENT) && \ defined(HAVE_AESGCM) && !defined(NO_ERROR_STRINGS) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; -#ifndef NO_WOLFSSL_CLIENT ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#endif - ExpectNotNull(ssl = wolfSSL_new(ctx)); /* Set only a TLS 1.3 cipher suite */ @@ -2158,17 +2148,12 @@ static int test_wolfSSL_set_cipher_list_tls12_with_version(void) EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_WOLFSSL_CLIENT) && \ defined(HAVE_AESGCM) && defined(HAVE_ECC) && !defined(NO_RSA) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; -#ifndef NO_WOLFSSL_CLIENT ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#endif - ExpectNotNull(ssl = wolfSSL_new(ctx)); /* Set protocol version to TLS 1.2 (this disables downgrade) */ @@ -2198,17 +2183,12 @@ static int test_wolfSSL_set_cipher_list_tls13_with_version(void) EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ - (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ + !defined(NO_WOLFSSL_CLIENT) && \ defined(HAVE_AESGCM) && !defined(NO_ERROR_STRINGS) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; -#ifndef NO_WOLFSSL_CLIENT ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#endif - ExpectNotNull(ssl = wolfSSL_new(ctx)); /* Set protocol version to TLS 1.3 (this disables downgrade) */ From 3aa758c615418d5d0e9142aa2eda33e43b56f3cc Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Tue, 27 Jan 2026 12:57:31 -0500 Subject: [PATCH 5/5] renegotiation indication changes number of ciphersuites so gate on that --- tests/api.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/api.c b/tests/api.c index 6cd104fc0..d5e29b4a3 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2055,6 +2055,7 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ !defined(NO_WOLFSSL_CLIENT) && \ + !defined(HAVE_RENEGOTIATION_INDICATION) && \ defined(HAVE_AESGCM) && \ ((!defined(NO_RSA) && defined(HAVE_ECC)) || !defined(NO_ERROR_STRINGS)) /* Helper function to check if TLS 1.3 suites exist in the suites list */ @@ -2089,6 +2090,7 @@ static int test_wolfSSL_set_cipher_list_tls12_keeps_tls13(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ !defined(NO_WOLFSSL_CLIENT) && \ + !defined(HAVE_RENEGOTIATION_INDICATION) && \ defined(HAVE_AESGCM) && defined(HAVE_ECC) && !defined(NO_RSA) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; @@ -2119,6 +2121,7 @@ static int test_wolfSSL_set_cipher_list_tls13_keeps_tls12(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ !defined(NO_WOLFSSL_CLIENT) && \ + !defined(HAVE_RENEGOTIATION_INDICATION) && \ defined(HAVE_AESGCM) && !defined(NO_ERROR_STRINGS) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; @@ -2149,6 +2152,7 @@ static int test_wolfSSL_set_cipher_list_tls12_with_version(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ !defined(NO_WOLFSSL_CLIENT) && \ + !defined(HAVE_RENEGOTIATION_INDICATION) && \ defined(HAVE_AESGCM) && defined(HAVE_ECC) && !defined(NO_RSA) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; @@ -2184,6 +2188,7 @@ static int test_wolfSSL_set_cipher_list_tls13_with_version(void) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ !defined(WOLFSSL_NO_TLS12) && \ !defined(NO_WOLFSSL_CLIENT) && \ + !defined(HAVE_RENEGOTIATION_INDICATION) && \ defined(HAVE_AESGCM) && !defined(NO_ERROR_STRINGS) WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL;