Fix no-ec and no-tls1_2 (eaa32f36) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

ssl/ssl_locl.h

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -2572,7 +2572,9 @@ __owur int tls1_process_sigalgs(SSL *s);
	__owur int tls1_set_peer_legacy_sigalg(SSL s, const EVP_PKEY pkey);		__owur int tls1_set_peer_legacy_sigalg(SSL s, const EVP_PKEY pkey);
	__owur int tls1_lookup_md(const SIGALG_LOOKUP lu, const EVP_MD *pmd);		__owur int tls1_lookup_md(const SIGALG_LOOKUP lu, const EVP_MD *pmd);
	__owur size_t tls12_get_psigalgs(SSL s, int sent, const uint16_t *psigs);		__owur size_t tls12_get_psigalgs(SSL s, int sent, const uint16_t *psigs);
			# ifndef OPENSSL_NO_EC
	__owur int tls_check_sigalg_curve(const SSL *s, int curve);		__owur int tls_check_sigalg_curve(const SSL *s, int curve);
			# endif
	__owur int tls12_check_peer_sigalg(SSL s, uint16_t, EVP_PKEY pkey);		__owur int tls12_check_peer_sigalg(SSL s, uint16_t, EVP_PKEY pkey);
	__owur int ssl_set_client_disabled(SSL *s);		__owur int ssl_set_client_disabled(SSL *s);
	__owur int ssl_cipher_disabled(SSL s, const SSL_CIPHER c, int op, int echde);		__owur int ssl_cipher_disabled(SSL s, const SSL_CIPHER c, int op, int echde);

ssl/statem/statem_lib.c

+8 −1

Original line number	Original line	Diff line number	Diff line
	@@ -1506,8 +1506,11 @@ static int ssl_method_error(const SSL s, const SSL_METHOD method)
	*/		*/
	static int is_tls13_capable(const SSL *s)		static int is_tls13_capable(const SSL *s)
	{		{
	int i, curve;		int i;
			#ifndef OPENSSL_NO_EC
			int curve;
	EC_KEY *eckey;		EC_KEY *eckey;
			#endif

	#ifndef OPENSSL_NO_PSK		#ifndef OPENSSL_NO_PSK
	if (s->psk_server_callback != NULL)		if (s->psk_server_callback != NULL)
	@@ -1530,6 +1533,7 @@ static int is_tls13_capable(const SSL *s)
	}		}
	if (!ssl_has_cert(s, i))		if (!ssl_has_cert(s, i))
	continue;		continue;
			#ifndef OPENSSL_NO_EC
	if (i != SSL_PKEY_ECC)		if (i != SSL_PKEY_ECC)
	return 1;		return 1;
	/*		/*
	@@ -1543,6 +1547,9 @@ static int is_tls13_capable(const SSL *s)
	curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));		curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
	if (tls_check_sigalg_curve(s, curve))		if (tls_check_sigalg_curve(s, curve))
	return 1;		return 1;
			#else
			return 1;
			#endif
	}		}

	return 0;		return 0;

ssl/t1_lib.c

+2 −0

Original line number	Original line	Diff line number	Diff line
	@@ -949,6 +949,7 @@ size_t tls12_get_psigalgs(SSL s, int sent, const uint16_t *psigs)
	}		}
	}		}

			#ifndef OPENSSL_NO_EC
	/*		/*
	* Called by servers only. Checks that we have a sig alg that supports the		* Called by servers only. Checks that we have a sig alg that supports the
	* specified EC curve.		* specified EC curve.
	@@ -979,6 +980,7 @@ int tls_check_sigalg_curve(const SSL *s, int curve)

	return 0;		return 0;
	}		}
			#endif

	/*		/*
	* Check signature algorithm is consistent with sent supported signature		* Check signature algorithm is consistent with sent supported signature

test/recipes/80-test_ssl_new.t

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -69,6 +69,7 @@ my %conf_dependent_tests = (
	"22-compression.conf" => !$is_default_tls,		"22-compression.conf" => !$is_default_tls,
	"25-cipher.conf" => disabled("poly1305") \|\| disabled("chacha"),		"25-cipher.conf" => disabled("poly1305") \|\| disabled("chacha"),
	"27-ticket-appdata.conf" => !$is_default_tls,		"27-ticket-appdata.conf" => !$is_default_tls,
			"28-seclevel.conf" => disabled("tls1_2") \|\| $no_ec,
	);		);

	# Add your test here if it should be skipped for some compile-time		# Add your test here if it should be skipped for some compile-time

test/ssl-tests/28-seclevel.conf

+26 −26

Original line number	Original line	Diff line number	Diff line
	@@ -4,8 +4,8 @@ num_tests = 4

	test-0 = 0-SECLEVEL 3 with default key		test-0 = 0-SECLEVEL 3 with default key
	test-1 = 1-SECLEVEL 3 with ED448 key		test-1 = 1-SECLEVEL 3 with ED448 key
	test-2 = 2-SECLEVEL 3 with ED448 key, TLSv1.2		test-2 = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE
	test-3 = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE		test-3 = 3-SECLEVEL 3 with ED448 key, TLSv1.2
	# ===========================================================		# ===========================================================

	[0-SECLEVEL 3 with default key]		[0-SECLEVEL 3 with default key]
	@@ -54,22 +54,22 @@ ExpectedResult = Success

	# ===========================================================		# ===========================================================

	[2-SECLEVEL 3 with ED448 key, TLSv1.2]		[2-SECLEVEL 3 with P-384 key, X25519 ECDHE]
	ssl_conf = 2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl		ssl_conf = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl

	[2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]		[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
	server = 2-SECLEVEL 3 with ED448 key, TLSv1.2-server		server = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
	client = 2-SECLEVEL 3 with ED448 key, TLSv1.2-client		client = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client

	[2-SECLEVEL 3 with ED448 key, TLSv1.2-server]		[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
	Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem		Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
	CipherString = DEFAULT:@SECLEVEL=3		CipherString = DEFAULT:@SECLEVEL=3
	MaxProtocol = TLSv1.2		Groups = X25519
	PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem		PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem

	[2-SECLEVEL 3 with ED448 key, TLSv1.2-client]		[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
	CipherString = DEFAULT		CipherString = ECDHE:@SECLEVEL=3
	VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
	VerifyMode = Peer		VerifyMode = Peer

	[test-2]		[test-2]
	@@ -78,22 +78,22 @@ ExpectedResult = Success

	# ===========================================================		# ===========================================================

	[3-SECLEVEL 3 with P-384 key, X25519 ECDHE]		[3-SECLEVEL 3 with ED448 key, TLSv1.2]
	ssl_conf = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl		ssl_conf = 3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl

	[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]		[3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
	server = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server		server = 3-SECLEVEL 3 with ED448 key, TLSv1.2-server
	client = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client		client = 3-SECLEVEL 3 with ED448 key, TLSv1.2-client

	[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]		[3-SECLEVEL 3 with ED448 key, TLSv1.2-server]
	Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem		Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
	CipherString = DEFAULT:@SECLEVEL=3		CipherString = DEFAULT:@SECLEVEL=3
	Groups = X25519		MaxProtocol = TLSv1.2
	PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem		PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem

	[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]		[3-SECLEVEL 3 with ED448 key, TLSv1.2-client]
	CipherString = ECDHE:@SECLEVEL=3		CipherString = DEFAULT
	VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
	VerifyMode = Peer		VerifyMode = Peer

	[test-3]		[test-3]