Fix no-ec and no-tls1_2 (eaa32f36) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/ssl_locl.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -2572,7 +2572,9 @@ __owur int tls1_process_sigalgs(SSL *s);
		__owur int tls1_set_peer_legacy_sigalg(SSL s, const EVP_PKEY pkey);
		__owur int tls1_lookup_md(const SIGALG_LOOKUP lu, const EVP_MD *pmd);
		__owur size_t tls12_get_psigalgs(SSL s, int sent, const uint16_t *psigs);
		# ifndef OPENSSL_NO_EC
		__owur int tls_check_sigalg_curve(const SSL *s, int curve);
		# endif
		__owur int tls12_check_peer_sigalg(SSL s, uint16_t, EVP_PKEY pkey);
		__owur int ssl_set_client_disabled(SSL *s);
		__owur int ssl_cipher_disabled(SSL s, const SSL_CIPHER c, int op, int echde);

ssl/statem/statem_lib.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -1506,8 +1506,11 @@ static int ssl_method_error(const SSL s, const SSL_METHOD method)
		*/
		static int is_tls13_capable(const SSL *s)
		{
		int i, curve;
		int i;
		#ifndef OPENSSL_NO_EC
		int curve;
		EC_KEY *eckey;
		#endif

		#ifndef OPENSSL_NO_PSK
		if (s->psk_server_callback != NULL)
		@@ -1530,6 +1533,7 @@ static int is_tls13_capable(const SSL *s)
		}
		if (!ssl_has_cert(s, i))
		continue;
		#ifndef OPENSSL_NO_EC
		if (i != SSL_PKEY_ECC)
		return 1;
		/*
		@@ -1543,6 +1547,9 @@ static int is_tls13_capable(const SSL *s)
		curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
		if (tls_check_sigalg_curve(s, curve))
		return 1;
		#else
		return 1;
		#endif
		}

		return 0;

ssl/t1_lib.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -949,6 +949,7 @@ size_t tls12_get_psigalgs(SSL s, int sent, const uint16_t *psigs)
		}
		}

		#ifndef OPENSSL_NO_EC
		/*
		* Called by servers only. Checks that we have a sig alg that supports the
		* specified EC curve.
		@@ -979,6 +980,7 @@ int tls_check_sigalg_curve(const SSL *s, int curve)

		return 0;
		}
		#endif

		/*
		* Check signature algorithm is consistent with sent supported signature

test/recipes/80-test_ssl_new.t

+1 −0

Original line number	Diff line number	Diff line
		@@ -69,6 +69,7 @@ my %conf_dependent_tests = (
		"22-compression.conf" => !$is_default_tls,
		"25-cipher.conf" => disabled("poly1305") \|\| disabled("chacha"),
		"27-ticket-appdata.conf" => !$is_default_tls,
		"28-seclevel.conf" => disabled("tls1_2") \|\| $no_ec,
		);

		# Add your test here if it should be skipped for some compile-time

test/ssl-tests/28-seclevel.conf

+26 −26

Original line number	Diff line number	Diff line
		@@ -4,8 +4,8 @@ num_tests = 4

		test-0 = 0-SECLEVEL 3 with default key
		test-1 = 1-SECLEVEL 3 with ED448 key
		test-2 = 2-SECLEVEL 3 with ED448 key, TLSv1.2
		test-3 = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE
		test-2 = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE
		test-3 = 3-SECLEVEL 3 with ED448 key, TLSv1.2
		# ===========================================================

		[0-SECLEVEL 3 with default key]
		@@ -54,22 +54,22 @@ ExpectedResult = Success

		# ===========================================================

		[2-SECLEVEL 3 with ED448 key, TLSv1.2]
		ssl_conf = 2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl
		[2-SECLEVEL 3 with P-384 key, X25519 ECDHE]
		ssl_conf = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl

		[2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
		server = 2-SECLEVEL 3 with ED448 key, TLSv1.2-server
		client = 2-SECLEVEL 3 with ED448 key, TLSv1.2-client
		[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
		server = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
		client = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client

		[2-SECLEVEL 3 with ED448 key, TLSv1.2-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
		[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
		CipherString = DEFAULT:@SECLEVEL=3
		MaxProtocol = TLSv1.2
		PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
		Groups = X25519
		PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem

		[2-SECLEVEL 3 with ED448 key, TLSv1.2-client]
		CipherString = DEFAULT
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
		CipherString = ECDHE:@SECLEVEL=3
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
		VerifyMode = Peer

		[test-2]
		@@ -78,22 +78,22 @@ ExpectedResult = Success

		# ===========================================================

		[3-SECLEVEL 3 with P-384 key, X25519 ECDHE]
		ssl_conf = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl
		[3-SECLEVEL 3 with ED448 key, TLSv1.2]
		ssl_conf = 3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl

		[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
		server = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
		client = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client
		[3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
		server = 3-SECLEVEL 3 with ED448 key, TLSv1.2-server
		client = 3-SECLEVEL 3 with ED448 key, TLSv1.2-client

		[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
		[3-SECLEVEL 3 with ED448 key, TLSv1.2-server]
		Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
		CipherString = DEFAULT:@SECLEVEL=3
		Groups = X25519
		PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
		MaxProtocol = TLSv1.2
		PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem

		[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
		CipherString = ECDHE:@SECLEVEL=3
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
		[3-SECLEVEL 3 with ED448 key, TLSv1.2-client]
		CipherString = DEFAULT
		VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
		VerifyMode = Peer

		[test-3]

Admin message