[openssl-commits] [openssl] OpenSSL_1_1_1-stable update
Matt Caswell
matt at openssl.org
Wed Nov 14 11:38:06 UTC 2018
The branch OpenSSL_1_1_1-stable has been updated
via eaa32f3679a8f36975142ece0958a68422af8bbc (commit)
from e0e5241fc917fb3cc2320659c4216518da0ae2c9 (commit)
- Log -----------------------------------------------------------------
commit eaa32f3679a8f36975142ece0958a68422af8bbc
Author: Matt Caswell <matt at openssl.org>
Date: Mon Nov 12 14:23:07 2018 +0000
Fix no-ec and no-tls1_2
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7620)
(cherry picked from commit 65d2c16cbe0da8efed2f285f59930297326fb435)
-----------------------------------------------------------------------
Summary of changes:
ssl/ssl_locl.h | 2 ++
ssl/statem/statem_lib.c | 9 ++++++-
ssl/t1_lib.c | 2 ++
test/recipes/80-test_ssl_new.t | 1 +
test/ssl-tests/28-seclevel.conf | 52 +++++++++++++++++++-------------------
test/ssl-tests/28-seclevel.conf.in | 28 +++++++++++++-------
6 files changed, 58 insertions(+), 36 deletions(-)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index e9c5c5c..70e5a17 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2572,7 +2572,9 @@ __owur int tls1_process_sigalgs(SSL *s);
__owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
__owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
__owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
+# ifndef OPENSSL_NO_EC
__owur int tls_check_sigalg_curve(const SSL *s, int curve);
+# endif
__owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey);
__owur int ssl_set_client_disabled(SSL *s);
__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 95c2206..4324896 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1506,8 +1506,11 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
*/
static int is_tls13_capable(const SSL *s)
{
- int i, curve;
+ int i;
+#ifndef OPENSSL_NO_EC
+ int curve;
EC_KEY *eckey;
+#endif
#ifndef OPENSSL_NO_PSK
if (s->psk_server_callback != NULL)
@@ -1530,6 +1533,7 @@ static int is_tls13_capable(const SSL *s)
}
if (!ssl_has_cert(s, i))
continue;
+#ifndef OPENSSL_NO_EC
if (i != SSL_PKEY_ECC)
return 1;
/*
@@ -1543,6 +1547,9 @@ static int is_tls13_capable(const SSL *s)
curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
if (tls_check_sigalg_curve(s, curve))
return 1;
+#else
+ return 1;
+#endif
}
return 0;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index e79c7bf..fc41ed9 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -949,6 +949,7 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
}
}
+#ifndef OPENSSL_NO_EC
/*
* Called by servers only. Checks that we have a sig alg that supports the
* specified EC curve.
@@ -979,6 +980,7 @@ int tls_check_sigalg_curve(const SSL *s, int curve)
return 0;
}
+#endif
/*
* Check signature algorithm is consistent with sent supported signature
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index da8302d..db2271c 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -69,6 +69,7 @@ my %conf_dependent_tests = (
"22-compression.conf" => !$is_default_tls,
"25-cipher.conf" => disabled("poly1305") || disabled("chacha"),
"27-ticket-appdata.conf" => !$is_default_tls,
+ "28-seclevel.conf" => disabled("tls1_2") || $no_ec,
);
# Add your test here if it should be skipped for some compile-time
diff --git a/test/ssl-tests/28-seclevel.conf b/test/ssl-tests/28-seclevel.conf
index ddc2448..f863f68 100644
--- a/test/ssl-tests/28-seclevel.conf
+++ b/test/ssl-tests/28-seclevel.conf
@@ -4,8 +4,8 @@ num_tests = 4
test-0 = 0-SECLEVEL 3 with default key
test-1 = 1-SECLEVEL 3 with ED448 key
-test-2 = 2-SECLEVEL 3 with ED448 key, TLSv1.2
-test-3 = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE
+test-2 = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE
+test-3 = 3-SECLEVEL 3 with ED448 key, TLSv1.2
# ===========================================================
[0-SECLEVEL 3 with default key]
@@ -54,22 +54,22 @@ ExpectedResult = Success
# ===========================================================
-[2-SECLEVEL 3 with ED448 key, TLSv1.2]
-ssl_conf = 2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE]
+ssl_conf = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl
-[2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
-server = 2-SECLEVEL 3 with ED448 key, TLSv1.2-server
-client = 2-SECLEVEL 3 with ED448 key, TLSv1.2-client
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
+server = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
+client = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client
-[2-SECLEVEL 3 with ED448 key, TLSv1.2-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
CipherString = DEFAULT:@SECLEVEL=3
-MaxProtocol = TLSv1.2
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+Groups = X25519
+PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
-[2-SECLEVEL 3 with ED448 key, TLSv1.2-client]
-CipherString = DEFAULT
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
+CipherString = ECDHE:@SECLEVEL=3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
VerifyMode = Peer
[test-2]
@@ -78,22 +78,22 @@ ExpectedResult = Success
# ===========================================================
-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE]
-ssl_conf = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl
+[3-SECLEVEL 3 with ED448 key, TLSv1.2]
+ssl_conf = 3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl
-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
-server = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
-client = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client
+[3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
+server = 3-SECLEVEL 3 with ED448 key, TLSv1.2-server
+client = 3-SECLEVEL 3 with ED448 key, TLSv1.2-client
-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
+[3-SECLEVEL 3 with ED448 key, TLSv1.2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
CipherString = DEFAULT:@SECLEVEL=3
-Groups = X25519
-PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
-CipherString = ECDHE:@SECLEVEL=3
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
+[3-SECLEVEL 3 with ED448 key, TLSv1.2-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-3]
diff --git a/test/ssl-tests/28-seclevel.conf.in b/test/ssl-tests/28-seclevel.conf.in
index 5a1ee46..9f85a95 100644
--- a/test/ssl-tests/28-seclevel.conf.in
+++ b/test/ssl-tests/28-seclevel.conf.in
@@ -10,6 +10,7 @@
## SSL test configurations
package ssltests;
+use OpenSSL::Test::Utils;
our @tests = (
{
@@ -18,6 +19,9 @@ our @tests = (
client => { },
test => { "ExpectedResult" => "ServerFail" },
},
+);
+
+our @tests_ec = (
{
name => "SECLEVEL 3 with ED448 key",
server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
@@ -27,15 +31,6 @@ our @tests = (
test => { "ExpectedResult" => "Success" },
},
{
- name => "SECLEVEL 3 with ED448 key, TLSv1.2",
- server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
- "Certificate" => test_pem("server-ed448-cert.pem"),
- "PrivateKey" => test_pem("server-ed448-key.pem"),
- "MaxProtocol" => "TLSv1.2" },
- client => { },
- test => { "ExpectedResult" => "Success" },
- },
- {
name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
"Certificate" => test_pem("p384-server-cert.pem"),
@@ -46,3 +41,18 @@ our @tests = (
test => { "ExpectedResult" => "Success" },
},
);
+
+our @tests_tls1_2 = (
+ {
+ name => "SECLEVEL 3 with ED448 key, TLSv1.2",
+ server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
+ "Certificate" => test_pem("server-ed448-cert.pem"),
+ "PrivateKey" => test_pem("server-ed448-key.pem"),
+ "MaxProtocol" => "TLSv1.2" },
+ client => { },
+ test => { "ExpectedResult" => "Success" },
+ },
+);
+
+push @tests, @tests_ec unless disabled("ec");
+push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
More information about the openssl-commits
mailing list