[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Sat Feb 25 16:04:06 UTC 2017
The branch master has been updated
via c749308fc44a0b33b340e23834320dbef9fbf8de (commit)
via 095a982bb49879e6dea1e846d744652b2bd30e18 (commit)
via e892e3255858b6b8bb79bee9972aa9700a38903b (commit)
via d09e903a8600c8ea6ea8e3b48297272f08ee4b3c (commit)
from 599b586d8775830ad1d5982382a9bb2d78a40679 (commit)
- Log -----------------------------------------------------------------
commit c749308fc44a0b33b340e23834320dbef9fbf8de
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sat Feb 25 00:40:55 2017 +0000
Add tests for SHA1 and EC point compression
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2739)
commit 095a982bb49879e6dea1e846d744652b2bd30e18
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sat Feb 25 00:25:04 2017 +0000
For TLS 1.3 reject SHA1 TLS signatures
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2739)
commit e892e3255858b6b8bb79bee9972aa9700a38903b
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Feb 24 20:43:02 2017 +0000
Reject compressed point format with TLS 1.3
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2739)
commit d09e903a8600c8ea6ea8e3b48297272f08ee4b3c
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Feb 24 17:29:59 2017 +0000
EC certificate with compression point
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2739)
-----------------------------------------------------------------------
Summary of changes:
include/openssl/ssl.h | 1 +
ssl/ssl_err.c | 2 +
ssl/t1_lib.c | 25 +++--
test/certs/server-cecdsa-cert.pem | 15 +++
test/certs/server-cecdsa-key.pem | 4 +
test/ssl-tests/20-cert-select.conf | 172 +++++++++++++++++++++++-----------
test/ssl-tests/20-cert-select.conf.in | 55 +++++++++++
7 files changed, 211 insertions(+), 63 deletions(-)
create mode 100644 test/certs/server-cecdsa-cert.pem
create mode 100644 test/certs/server-cecdsa-key.pem
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 40c58c5..51dbca4 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2508,6 +2508,7 @@ int ERR_load_SSL_strings(void);
# define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
# define SSL_R_HTTPS_PROXY_REQUEST 155
# define SSL_R_HTTP_REQUEST 156
+# define SSL_R_ILLEGAL_POINT_COMPRESSION 162
# define SSL_R_ILLEGAL_SUITEB_DIGEST 380
# define SSL_R_INAPPROPRIATE_FALLBACK 373
# define SSL_R_INCONSISTENT_COMPRESSION 340
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index addc3de..444de8e 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -570,6 +570,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS), "got a fin before a ccs"},
{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST), "https proxy request"},
{ERR_REASON(SSL_R_HTTP_REQUEST), "http request"},
+ {ERR_REASON(SSL_R_ILLEGAL_POINT_COMPRESSION),
+ "illegal point compression"},
{ERR_REASON(SSL_R_ILLEGAL_SUITEB_DIGEST), "illegal Suite B digest"},
{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"},
{ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"},
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 100c97c..099dcdb 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -902,10 +902,11 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
}
lu = tls1_lookup_sigalg(sig);
/*
- * Check sigalgs is known and key type is consistent with signature:
- * RSA keys can be used for RSA-PSS
+ * Check sigalgs is known. Disallow SHA1 with TLS 1.3. Check key type is
+ * consistent with signature: RSA keys can be used for RSA-PSS
*/
- if (lu == NULL || (pkeyid != lu->sig
+ if (lu == NULL || (SSL_IS_TLS13(s) && lu->hash == NID_sha1)
+ || (pkeyid != lu->sig
&& (lu->sig != EVP_PKEY_RSA_PSS || pkeyid != EVP_PKEY_RSA))) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
@@ -916,8 +917,12 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
if (SSL_IS_TLS13(s)) {
+ if (EC_KEY_get_conv_form(ec) != POINT_CONVERSION_UNCOMPRESSED) {
+ SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG,
+ SSL_R_ILLEGAL_POINT_COMPRESSION);
+ return 0;
+ }
/* For TLS 1.3 check curve matches signature algorithm */
-
if (lu->curve != NID_undef && curve != lu->curve) {
SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE);
return 0;
@@ -2237,15 +2242,16 @@ int tls_choose_sigalg(SSL *s, int *al)
if (SSL_IS_TLS13(s)) {
size_t i;
#ifndef OPENSSL_NO_EC
- int curve = -1;
+ int curve = -1, skip_ec = 0;
#endif
/* Look for a certificate matching shared sigaglgs */
for (i = 0; i < s->cert->shared_sigalgslen; i++) {
lu = s->cert->shared_sigalgs[i];
- /* Skip DSA and RSA if not PSS */
- if (lu->sig == EVP_PKEY_DSA || lu->sig == EVP_PKEY_RSA)
+ /* Skip SHA1, DSA and RSA if not PSS */
+ if (lu->hash == NID_sha1 || lu->sig == EVP_PKEY_DSA
+ || lu->sig == EVP_PKEY_RSA)
continue;
if (ssl_md(lu->hash_idx) == NULL)
continue;
@@ -2258,8 +2264,11 @@ int tls_choose_sigalg(SSL *s, int *al)
EC_KEY *ec = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[idx].privatekey);
curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+ if (EC_KEY_get_conv_form(ec)
+ != POINT_CONVERSION_UNCOMPRESSED)
+ skip_ec = 1;
}
- if (lu->curve != NID_undef && curve != lu->curve)
+ if (skip_ec || (lu->curve != NID_undef && curve != lu->curve))
continue;
#else
continue;
diff --git a/test/certs/server-cecdsa-cert.pem b/test/certs/server-cecdsa-cert.pem
new file mode 100644
index 0000000..6446bbf
--- /dev/null
+++ b/test/certs/server-cecdsa-cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICSDCCATCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTE3MDIyNDE3MjgxOFoYDzIxMTcwMjI1MTcyODE4WjAfMR0wGwYDVQQD
+DBRFQ0RTQSBjb21wcmVzc2VkIGtleTA5MBMGByqGSM49AgEGCCqGSM49AwEHAyIA
+AuI7NNxE483tJyIKT6KOQM5Zlfrigh12BEcHxnzpudgVo4GEMIGBMB0GA1UdDgQW
+BBRYM6sJF9MGP6q5g0lxnwQzVozv2DAfBgNVHSMEGDAWgBRwfy6ug2hZmAQjKs3r
+PhfNJN0BSTAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB8GA1UdEQQY
+MBaCFEVDRFNBIGNvbXByZXNzZWQga2V5MA0GCSqGSIb3DQEBCwUAA4IBAQCEmLt+
+eW36thd16Coscs4LYV8aFS6cyCw1dXUOAsDn8SH6zFkhidahgGY4cXdYeNpffYWZ
+yL1ydfL5ce76Ye4liLY0N/3tvsMTdyvtMxzVrC27W7yxfh65tPGhQtZNbzWZPkUr
+pBQ5w8pN9go/B/tCmflffzAXz5XOI2dRGxENfHV/6KTjn+ojbgWL2JmkbBuTSk7w
+18s5ae+T7rUFPTxlN9vFoFyCf+mjHArRhIHBR1AiZ9/Q1XN44u7EWYbKkiJgki1Q
+VBd4jvGz3GsH2DWMm1B1VqO0vddRNFDy7DtMO36VRz0k0k2ysOw1Y82XAniPboS7
+jC8uUGdh3iKWaOb5
+-----END CERTIFICATE-----
diff --git a/test/certs/server-cecdsa-key.pem b/test/certs/server-cecdsa-key.pem
new file mode 100644
index 0000000..ae157df
--- /dev/null
+++ b/test/certs/server-cecdsa-key.pem
@@ -0,0 +1,4 @@
+-----BEGIN EC PRIVATE KEY-----
+MFcCAQEEIEyOTc8v2AjaRLgE6+oxbbmQOVbNec21ziVORF5fiQHuoAoGCCqGSM49
+AwEHoSQDIgAC4js03ETjze0nIgpPoo5AzlmV+uKCHXYERwfGfOm52BU=
+-----END EC PRIVATE KEY-----
diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf
index 290bb87..e787efc 100644
--- a/test/ssl-tests/20-cert-select.conf
+++ b/test/ssl-tests/20-cert-select.conf
@@ -1,18 +1,20 @@
# Generated with generate_ssl_tests.pl
-num_tests = 11
+num_tests = 13
test-0 = 0-ECDSA CipherString Selection
test-1 = 1-RSA CipherString Selection
test-2 = 2-ECDSA CipherString Selection, no ECDSA certificate
test-3 = 3-ECDSA Signature Algorithm Selection
test-4 = 4-ECDSA Signature Algorithm Selection SHA384
-test-5 = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate
-test-6 = 6-RSA Signature Algorithm Selection
-test-7 = 7-RSA-PSS Signature Algorithm Selection
-test-8 = 8-Suite B P-256 Hash Algorithm Selection
-test-9 = 9-Suite B P-384 Hash Algorithm Selection
-test-10 = 10-TLS 1.2 DSA Certificate Test
+test-5 = 5-ECDSA Signature Algorithm Selection SHA1
+test-6 = 6-ECDSA Signature Algorithm Selection compressed point
+test-7 = 7-ECDSA Signature Algorithm Selection, no ECDSA certificate
+test-8 = 8-RSA Signature Algorithm Selection
+test-9 = 9-RSA-PSS Signature Algorithm Selection
+test-10 = 10-Suite B P-256 Hash Algorithm Selection
+test-11 = 11-Suite B P-384 Hash Algorithm Selection
+test-12 = 12-TLS 1.2 DSA Certificate Test
# ===========================================================
[0-ECDSA CipherString Selection]
@@ -155,39 +157,99 @@ ExpectedServerSignType = EC
# ===========================================================
-[5-ECDSA Signature Algorithm Selection, no ECDSA certificate]
-ssl_conf = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
+[5-ECDSA Signature Algorithm Selection SHA1]
+ssl_conf = 5-ECDSA Signature Algorithm Selection SHA1-ssl
-[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
-server = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
-client = 5-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
+[5-ECDSA Signature Algorithm Selection SHA1-ssl]
+server = 5-ECDSA Signature Algorithm Selection SHA1-server
+client = 5-ECDSA Signature Algorithm Selection SHA1-client
-[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
+[5-ECDSA Signature Algorithm Selection SHA1-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[5-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
+[5-ECDSA Signature Algorithm Selection SHA1-client]
CipherString = DEFAULT
-SignatureAlgorithms = ECDSA+SHA256
+SignatureAlgorithms = ECDSA+SHA1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-5]
+ExpectedResult = Success
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA1
+ExpectedServerSignType = EC
+
+
+# ===========================================================
+
+[6-ECDSA Signature Algorithm Selection compressed point]
+ssl_conf = 6-ECDSA Signature Algorithm Selection compressed point-ssl
+
+[6-ECDSA Signature Algorithm Selection compressed point-ssl]
+server = 6-ECDSA Signature Algorithm Selection compressed point-server
+client = 6-ECDSA Signature Algorithm Selection compressed point-client
+
+[6-ECDSA Signature Algorithm Selection compressed point-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-cecdsa-cert.pem
+ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-cecdsa-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[6-ECDSA Signature Algorithm Selection compressed point-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-6]
+ExpectedResult = Success
+ExpectedServerCertType = P-256
+ExpectedServerSignHash = SHA256
+ExpectedServerSignType = EC
+
+
+# ===========================================================
+
+[7-ECDSA Signature Algorithm Selection, no ECDSA certificate]
+ssl_conf = 7-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl
+
+[7-ECDSA Signature Algorithm Selection, no ECDSA certificate-ssl]
+server = 7-ECDSA Signature Algorithm Selection, no ECDSA certificate-server
+client = 7-ECDSA Signature Algorithm Selection, no ECDSA certificate-client
+
+[7-ECDSA Signature Algorithm Selection, no ECDSA certificate-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[7-ECDSA Signature Algorithm Selection, no ECDSA certificate-client]
+CipherString = DEFAULT
+SignatureAlgorithms = ECDSA+SHA256
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-7]
ExpectedResult = ServerFail
# ===========================================================
-[6-RSA Signature Algorithm Selection]
-ssl_conf = 6-RSA Signature Algorithm Selection-ssl
+[8-RSA Signature Algorithm Selection]
+ssl_conf = 8-RSA Signature Algorithm Selection-ssl
-[6-RSA Signature Algorithm Selection-ssl]
-server = 6-RSA Signature Algorithm Selection-server
-client = 6-RSA Signature Algorithm Selection-client
+[8-RSA Signature Algorithm Selection-ssl]
+server = 8-RSA Signature Algorithm Selection-server
+client = 8-RSA Signature Algorithm Selection-client
-[6-RSA Signature Algorithm Selection-server]
+[8-RSA Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -195,13 +257,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[6-RSA Signature Algorithm Selection-client]
+[8-RSA Signature Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = RSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-6]
+[test-8]
ExpectedResult = Success
ExpectedServerCertType = RSA
ExpectedServerSignHash = SHA256
@@ -210,14 +272,14 @@ ExpectedServerSignType = RSA
# ===========================================================
-[7-RSA-PSS Signature Algorithm Selection]
-ssl_conf = 7-RSA-PSS Signature Algorithm Selection-ssl
+[9-RSA-PSS Signature Algorithm Selection]
+ssl_conf = 9-RSA-PSS Signature Algorithm Selection-ssl
-[7-RSA-PSS Signature Algorithm Selection-ssl]
-server = 7-RSA-PSS Signature Algorithm Selection-server
-client = 7-RSA-PSS Signature Algorithm Selection-client
+[9-RSA-PSS Signature Algorithm Selection-ssl]
+server = 9-RSA-PSS Signature Algorithm Selection-server
+client = 9-RSA-PSS Signature Algorithm Selection-client
-[7-RSA-PSS Signature Algorithm Selection-server]
+[9-RSA-PSS Signature Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem
@@ -225,13 +287,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[7-RSA-PSS Signature Algorithm Selection-client]
+[9-RSA-PSS Signature Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = RSA-PSS+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-7]
+[test-9]
ExpectedResult = Success
ExpectedServerCertType = RSA
ExpectedServerSignHash = SHA256
@@ -240,14 +302,14 @@ ExpectedServerSignType = RSA-PSS
# ===========================================================
-[8-Suite B P-256 Hash Algorithm Selection]
-ssl_conf = 8-Suite B P-256 Hash Algorithm Selection-ssl
+[10-Suite B P-256 Hash Algorithm Selection]
+ssl_conf = 10-Suite B P-256 Hash Algorithm Selection-ssl
-[8-Suite B P-256 Hash Algorithm Selection-ssl]
-server = 8-Suite B P-256 Hash Algorithm Selection-server
-client = 8-Suite B P-256 Hash Algorithm Selection-client
+[10-Suite B P-256 Hash Algorithm Selection-ssl]
+server = 10-Suite B P-256 Hash Algorithm Selection-server
+client = 10-Suite B P-256 Hash Algorithm Selection-client
-[8-Suite B P-256 Hash Algorithm Selection-server]
+[10-Suite B P-256 Hash Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = SUITEB128
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p256-server-cert.pem
@@ -255,13 +317,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p256-server-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[8-Suite B P-256 Hash Algorithm Selection-client]
+[10-Suite B P-256 Hash Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA384:ECDSA+SHA256
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
VerifyMode = Peer
-[test-8]
+[test-10]
ExpectedResult = Success
ExpectedServerCertType = P-256
ExpectedServerSignHash = SHA256
@@ -270,14 +332,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[9-Suite B P-384 Hash Algorithm Selection]
-ssl_conf = 9-Suite B P-384 Hash Algorithm Selection-ssl
+[11-Suite B P-384 Hash Algorithm Selection]
+ssl_conf = 11-Suite B P-384 Hash Algorithm Selection-ssl
-[9-Suite B P-384 Hash Algorithm Selection-ssl]
-server = 9-Suite B P-384 Hash Algorithm Selection-server
-client = 9-Suite B P-384 Hash Algorithm Selection-client
+[11-Suite B P-384 Hash Algorithm Selection-ssl]
+server = 11-Suite B P-384 Hash Algorithm Selection-server
+client = 11-Suite B P-384 Hash Algorithm Selection-client
-[9-Suite B P-384 Hash Algorithm Selection-server]
+[11-Suite B P-384 Hash Algorithm Selection-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = SUITEB128
ECDSA.Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
@@ -285,13 +347,13 @@ ECDSA.PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[9-Suite B P-384 Hash Algorithm Selection-client]
+[11-Suite B P-384 Hash Algorithm Selection-client]
CipherString = DEFAULT
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
VerifyMode = Peer
-[test-9]
+[test-11]
ExpectedResult = Success
ExpectedServerCertType = P-384
ExpectedServerSignHash = SHA384
@@ -300,14 +362,14 @@ ExpectedServerSignType = EC
# ===========================================================
-[10-TLS 1.2 DSA Certificate Test]
-ssl_conf = 10-TLS 1.2 DSA Certificate Test-ssl
+[12-TLS 1.2 DSA Certificate Test]
+ssl_conf = 12-TLS 1.2 DSA Certificate Test-ssl
-[10-TLS 1.2 DSA Certificate Test-ssl]
-server = 10-TLS 1.2 DSA Certificate Test-server
-client = 10-TLS 1.2 DSA Certificate Test-client
+[12-TLS 1.2 DSA Certificate Test-ssl]
+server = 12-TLS 1.2 DSA Certificate Test-server
+client = 12-TLS 1.2 DSA Certificate Test-client
-[10-TLS 1.2 DSA Certificate Test-server]
+[12-TLS 1.2 DSA Certificate Test-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = ALL
DHParameters = ${ENV::TEST_CERTS_DIR}/dhp2048.pem
@@ -317,13 +379,13 @@ MaxProtocol = TLSv1.2
MinProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
-[10-TLS 1.2 DSA Certificate Test-client]
+[12-TLS 1.2 DSA Certificate Test-client]
CipherString = ALL
SignatureAlgorithms = DSA+SHA256:DSA+SHA1
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
-[test-10]
+[test-12]
ExpectedResult = Success
diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in
index e33b3d6..1dd7860 100644
--- a/test/ssl-tests/20-cert-select.conf.in
+++ b/test/ssl-tests/20-cert-select.conf.in
@@ -79,6 +79,36 @@ our @tests = (
},
},
{
+ name => "ECDSA Signature Algorithm Selection SHA1",
+ server => $server,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA1",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA1",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
+ name => "ECDSA Signature Algorithm Selection compressed point",
+ server => {
+ "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
+ "MaxProtocol" => "TLSv1.2"
+ },
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256",
+ },
+ test => {
+ "ExpectedServerCertType" => "P-256",
+ "ExpectedServerSignHash" => "SHA256",
+ "ExpectedServerSignType" => "EC",
+ "ExpectedResult" => "Success"
+ },
+ },
+ {
name => "ECDSA Signature Algorithm Selection, no ECDSA certificate",
server => {
"MaxProtocol" => "TLSv1.2"
@@ -188,6 +218,31 @@ my @tests_tls_1_3 = (
},
},
{
+ name => "TLS 1.3 ECDSA Signature Algorithm Selection compressed point",
+ server => {
+ "ECDSA.Certificate" => test_pem("server-cecdsa-cert.pem"),
+ "ECDSA.PrivateKey" => test_pem("server-cecdsa-key.pem"),
+ "MinProtocol" => "TLSv1.3",
+ "MaxProtocol" => "TLSv1.3"
+ },
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA256",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
+ name => "TLS 1.3 ECDSA Signature Algorithm Selection SHA1",
+ server => $server_tls_1_3,
+ client => {
+ "SignatureAlgorithms" => "ECDSA+SHA1",
+ },
+ test => {
+ "ExpectedResult" => "ServerFail"
+ },
+ },
+ {
name => "TLS 1.3 ECDSA Signature Algorithm Selection with PSS",
server => $server_tls_1_3,
client => {
More information about the openssl-commits
mailing list