From eaa32f3679a8f36975142ece0958a68422af8bbc Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 12 Nov 2018 14:23:07 +0000 Subject: [PATCH] Fix no-ec and no-tls1_2 Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/7620) (cherry picked from commit 65d2c16cbe0da8efed2f285f59930297326fb435) --- ssl/ssl_locl.h | 2 ++ ssl/statem/statem_lib.c | 9 +++++- ssl/t1_lib.c | 2 ++ test/recipes/80-test_ssl_new.t | 1 + test/ssl-tests/28-seclevel.conf | 52 +++++++++++++++--------------- test/ssl-tests/28-seclevel.conf.in | 28 ++++++++++------ 6 files changed, 58 insertions(+), 36 deletions(-) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index e9c5c5cf80..70e5a1740f 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -2572,7 +2572,9 @@ __owur int tls1_process_sigalgs(SSL *s); __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey); __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd); __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs); +# ifndef OPENSSL_NO_EC __owur int tls_check_sigalg_curve(const SSL *s, int curve); +# endif __owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey); __owur int ssl_set_client_disabled(SSL *s); __owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde); diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index 95c22062ba..4324896f50 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1506,8 +1506,11 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) */ static int is_tls13_capable(const SSL *s) { - int i, curve; + int i; +#ifndef OPENSSL_NO_EC + int curve; EC_KEY *eckey; +#endif #ifndef OPENSSL_NO_PSK if (s->psk_server_callback != NULL) @@ -1530,6 +1533,7 @@ static int is_tls13_capable(const SSL *s) } if (!ssl_has_cert(s, i)) continue; +#ifndef OPENSSL_NO_EC if (i != SSL_PKEY_ECC) return 1; /* @@ -1543,6 +1547,9 @@ static int is_tls13_capable(const SSL *s) curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); if (tls_check_sigalg_curve(s, curve)) return 1; +#else + return 1; +#endif } return 0; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index e79c7bf7d1..fc41ed90e7 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -949,6 +949,7 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs) } } +#ifndef OPENSSL_NO_EC /* * Called by servers only. Checks that we have a sig alg that supports the * specified EC curve. @@ -979,6 +980,7 @@ int tls_check_sigalg_curve(const SSL *s, int curve) return 0; } +#endif /* * Check signature algorithm is consistent with sent supported signature diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index da8302d206..db2271c388 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -69,6 +69,7 @@ my %conf_dependent_tests = ( "22-compression.conf" => !$is_default_tls, "25-cipher.conf" => disabled("poly1305") || disabled("chacha"), "27-ticket-appdata.conf" => !$is_default_tls, + "28-seclevel.conf" => disabled("tls1_2") || $no_ec, ); # Add your test here if it should be skipped for some compile-time diff --git a/test/ssl-tests/28-seclevel.conf b/test/ssl-tests/28-seclevel.conf index ddc2448f85..f863f68b08 100644 --- a/test/ssl-tests/28-seclevel.conf +++ b/test/ssl-tests/28-seclevel.conf @@ -4,8 +4,8 @@ num_tests = 4 test-0 = 0-SECLEVEL 3 with default key test-1 = 1-SECLEVEL 3 with ED448 key -test-2 = 2-SECLEVEL 3 with ED448 key, TLSv1.2 -test-3 = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE +test-2 = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE +test-3 = 3-SECLEVEL 3 with ED448 key, TLSv1.2 # =========================================================== [0-SECLEVEL 3 with default key] @@ -54,22 +54,22 @@ ExpectedResult = Success # =========================================================== -[2-SECLEVEL 3 with ED448 key, TLSv1.2] -ssl_conf = 2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl +[2-SECLEVEL 3 with P-384 key, X25519 ECDHE] +ssl_conf = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl -[2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl] -server = 2-SECLEVEL 3 with ED448 key, TLSv1.2-server -client = 2-SECLEVEL 3 with ED448 key, TLSv1.2-client +[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl] +server = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server +client = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client -[2-SECLEVEL 3 with ED448 key, TLSv1.2-server] -Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server] +Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem CipherString = DEFAULT:@SECLEVEL=3 -MaxProtocol = TLSv1.2 -PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem +Groups = X25519 +PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem -[2-SECLEVEL 3 with ED448 key, TLSv1.2-client] -CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client] +CipherString = ECDHE:@SECLEVEL=3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem VerifyMode = Peer [test-2] @@ -78,22 +78,22 @@ ExpectedResult = Success # =========================================================== -[3-SECLEVEL 3 with P-384 key, X25519 ECDHE] -ssl_conf = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl +[3-SECLEVEL 3 with ED448 key, TLSv1.2] +ssl_conf = 3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl -[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl] -server = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server -client = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client +[3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl] +server = 3-SECLEVEL 3 with ED448 key, TLSv1.2-server +client = 3-SECLEVEL 3 with ED448 key, TLSv1.2-client -[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server] -Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem +[3-SECLEVEL 3 with ED448 key, TLSv1.2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem CipherString = DEFAULT:@SECLEVEL=3 -Groups = X25519 -PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem -[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client] -CipherString = ECDHE:@SECLEVEL=3 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem +[3-SECLEVEL 3 with ED448 key, TLSv1.2-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer [test-3] diff --git a/test/ssl-tests/28-seclevel.conf.in b/test/ssl-tests/28-seclevel.conf.in index 5a1ee4638f..9f85a955e1 100644 --- a/test/ssl-tests/28-seclevel.conf.in +++ b/test/ssl-tests/28-seclevel.conf.in @@ -10,6 +10,7 @@ ## SSL test configurations package ssltests; +use OpenSSL::Test::Utils; our @tests = ( { @@ -18,6 +19,9 @@ our @tests = ( client => { }, test => { "ExpectedResult" => "ServerFail" }, }, +); + +our @tests_ec = ( { name => "SECLEVEL 3 with ED448 key", server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", @@ -26,15 +30,6 @@ our @tests = ( client => { }, test => { "ExpectedResult" => "Success" }, }, - { - name => "SECLEVEL 3 with ED448 key, TLSv1.2", - server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", - "Certificate" => test_pem("server-ed448-cert.pem"), - "PrivateKey" => test_pem("server-ed448-key.pem"), - "MaxProtocol" => "TLSv1.2" }, - client => { }, - test => { "ExpectedResult" => "Success" }, - }, { name => "SECLEVEL 3 with P-384 key, X25519 ECDHE", server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", @@ -46,3 +41,18 @@ our @tests = ( test => { "ExpectedResult" => "Success" }, }, ); + +our @tests_tls1_2 = ( + { + name => "SECLEVEL 3 with ED448 key, TLSv1.2", + server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", + "Certificate" => test_pem("server-ed448-cert.pem"), + "PrivateKey" => test_pem("server-ed448-key.pem"), + "MaxProtocol" => "TLSv1.2" }, + client => { }, + test => { "ExpectedResult" => "Success" }, + }, +); + +push @tests, @tests_ec unless disabled("ec"); +push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec"); -- 2.34.1