[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

Kurt Roeckx kurt at openssl.org
Sat Nov 10 20:30:31 UTC 2018


The branch OpenSSL_1_1_1-stable has been updated
       via  e37b7014f3f52124b787ca1b5b51b0111462a0ac (commit)
      from  98f62979b2e6233470619c9adfa44704a7036699 (commit)


- Log -----------------------------------------------------------------
commit e37b7014f3f52124b787ca1b5b51b0111462a0ac
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Fri Oct 12 17:24:14 2018 +0200

    Unbreak SECLEVEL 3 regression causing it to not accept any ciphers.
    
    Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    GH: #7391
    (cherry picked from commit 75b68c9e4e8591a4ebe083cb207aeb121baf549f)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_cert.c                     |   4 +-
 test/recipes/80-test_ssl_new.t     |   2 +-
 test/ssl-tests/28-seclevel.conf    | 102 +++++++++++++++++++++++++++++++++++++
 test/ssl-tests/28-seclevel.conf.in |  48 +++++++++++++++++
 4 files changed, 153 insertions(+), 3 deletions(-)
 create mode 100644 test/ssl-tests/28-seclevel.conf
 create mode 100644 test/ssl-tests/28-seclevel.conf.in

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 52a4a7e..7d7357f 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -951,8 +951,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
             if (level >= 2 && c->algorithm_enc == SSL_RC4)
                 return 0;
             /* Level 3: forward secure ciphersuites only */
-            if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
-                               !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
+            if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
+                               !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
                 return 0;
             break;
         }
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index e15d87e..da8302d 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -28,7 +28,7 @@ map { s/\^// } @conf_files if $^O eq "VMS";
 
 # We hard-code the number of tests to double-check that the globbing above
 # finds all files as expected.
-plan tests => 27;  # = scalar @conf_srcs
+plan tests => 28;  # = scalar @conf_srcs
 
 # Some test results depend on the configuration of enabled protocols. We only
 # verify generated sources in the default configuration.
diff --git a/test/ssl-tests/28-seclevel.conf b/test/ssl-tests/28-seclevel.conf
new file mode 100644
index 0000000..ddc2448
--- /dev/null
+++ b/test/ssl-tests/28-seclevel.conf
@@ -0,0 +1,102 @@
+# Generated with generate_ssl_tests.pl
+
+num_tests = 4
+
+test-0 = 0-SECLEVEL 3 with default key
+test-1 = 1-SECLEVEL 3 with ED448 key
+test-2 = 2-SECLEVEL 3 with ED448 key, TLSv1.2
+test-3 = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE
+# ===========================================================
+
+[0-SECLEVEL 3 with default key]
+ssl_conf = 0-SECLEVEL 3 with default key-ssl
+
+[0-SECLEVEL 3 with default key-ssl]
+server = 0-SECLEVEL 3 with default key-server
+client = 0-SECLEVEL 3 with default key-client
+
+[0-SECLEVEL 3 with default key-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = DEFAULT:@SECLEVEL=3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[0-SECLEVEL 3 with default key-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-0]
+ExpectedResult = ServerFail
+
+
+# ===========================================================
+
+[1-SECLEVEL 3 with ED448 key]
+ssl_conf = 1-SECLEVEL 3 with ED448 key-ssl
+
+[1-SECLEVEL 3 with ED448 key-ssl]
+server = 1-SECLEVEL 3 with ED448 key-server
+client = 1-SECLEVEL 3 with ED448 key-client
+
+[1-SECLEVEL 3 with ED448 key-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+CipherString = DEFAULT:@SECLEVEL=3
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+
+[1-SECLEVEL 3 with ED448 key-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-1]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[2-SECLEVEL 3 with ED448 key, TLSv1.2]
+ssl_conf = 2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl
+
+[2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
+server = 2-SECLEVEL 3 with ED448 key, TLSv1.2-server
+client = 2-SECLEVEL 3 with ED448 key, TLSv1.2-client
+
+[2-SECLEVEL 3 with ED448 key, TLSv1.2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+CipherString = DEFAULT:@SECLEVEL=3
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+
+[2-SECLEVEL 3 with ED448 key, TLSv1.2-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-2]
+ExpectedResult = Success
+
+
+# ===========================================================
+
+[3-SECLEVEL 3 with P-384 key, X25519 ECDHE]
+ssl_conf = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl
+
+[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
+server = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
+client = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client
+
+[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
+CipherString = DEFAULT:@SECLEVEL=3
+Groups = X25519
+PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
+
+[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
+CipherString = ECDHE:@SECLEVEL=3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
+VerifyMode = Peer
+
+[test-3]
+ExpectedResult = Success
+
+
diff --git a/test/ssl-tests/28-seclevel.conf.in b/test/ssl-tests/28-seclevel.conf.in
new file mode 100644
index 0000000..5a1ee46
--- /dev/null
+++ b/test/ssl-tests/28-seclevel.conf.in
@@ -0,0 +1,48 @@
+# -*- mode: perl; -*-
+# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+## SSL test configurations
+
+package ssltests;
+
+our @tests = (
+    {
+        name => "SECLEVEL 3 with default key",
+        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },
+        client => { },
+        test   => { "ExpectedResult" => "ServerFail" },
+    },
+    {
+        name => "SECLEVEL 3 with ED448 key",
+        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
+                    "Certificate" => test_pem("server-ed448-cert.pem"),
+                    "PrivateKey" => test_pem("server-ed448-key.pem") },
+        client => { },
+        test   => { "ExpectedResult" => "Success" },
+    },
+    {
+        name => "SECLEVEL 3 with ED448 key, TLSv1.2",
+        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
+                    "Certificate" => test_pem("server-ed448-cert.pem"),
+                    "PrivateKey" => test_pem("server-ed448-key.pem"),
+                    "MaxProtocol" => "TLSv1.2" },
+        client => { },
+        test   => { "ExpectedResult" => "Success" },
+    },
+    {
+        name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
+        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
+                    "Certificate" => test_pem("p384-server-cert.pem"),
+                    "PrivateKey" => test_pem("p384-server-key.pem"),
+                    "Groups" => "X25519" },
+        client => { "CipherString" => "ECDHE:\@SECLEVEL=3",
+                    "VerifyCAFile" => test_pem("p384-root.pem") },
+        test   => { "ExpectedResult" => "Success" },
+    },
+);


More information about the openssl-commits mailing list