[openssl] master update
Matt Caswell
matt at openssl.org
Thu Apr 29 14:58:15 UTC 2021
The branch master has been updated
via d77ba503a2cf1c83098baca345327761b991d191 (commit)
via 8ce390e1399a27e1c6e14756927e2331ee1cb5c5 (commit)
via fdf312709a34eb173f8366f55db0e0884b1f6a26 (commit)
from 0f077b5fd86e2df0b41608fbd5684fa1a2b58f59 (commit)
- Log -----------------------------------------------------------------
commit d77ba503a2cf1c83098baca345327761b991d191
Author: Matt Caswell <matt at openssl.org>
Date: Tue Apr 27 15:04:11 2021 +0100
Adjust ssl_test_new for SHA1 security level
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
ssl_test_new needed some adjustments in the event that DTLSv1.2 is disabled.
There are also adjustments required if using the FIPS module and DTLSv1.2
is disabled. The only DTLS version supported by the FIPS module is
DTLSv1.2.
Fixes #14956
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15047)
commit 8ce390e1399a27e1c6e14756927e2331ee1cb5c5
Author: Matt Caswell <matt at openssl.org>
Date: Tue Apr 27 12:05:00 2021 +0100
Adjust sslapitest for SHA1 security level
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
sslapitest needed some adjustments in the event that DTLSv1.2 is disabled.
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15047)
commit fdf312709a34eb173f8366f55db0e0884b1f6a26
Author: Matt Caswell <matt at openssl.org>
Date: Tue Apr 27 11:07:57 2021 +0100
Adjust dtlstest for SHA1 security level
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
dtlstest needed some adjustments in the event that DTLSv1.2 is disabled.
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15047)
-----------------------------------------------------------------------
Summary of changes:
test/dtlstest.c | 32 ++++++++++++++++++
test/ssl-tests/16-dtls-certstatus.cnf | 8 ++---
test/ssl-tests/16-dtls-certstatus.cnf.in | 33 +++++++++++++++----
test/ssl-tests/18-dtls-renegotiate.cnf | 20 +++++------
test/ssl-tests/18-dtls-renegotiate.cnf.in | 28 +++++++++++++---
test/ssl-tests/protocol_version.pm | 7 ++--
test/sslapitest.c | 55 +++++++++++++++++++++++++++++++
7 files changed, 155 insertions(+), 28 deletions(-)
diff --git a/test/dtlstest.c b/test/dtlstest.c
index 4f0f9d549d..05b8ded9cc 100644
--- a/test/dtlstest.c
+++ b/test/dtlstest.c
@@ -67,8 +67,16 @@ static int test_dtls_unprocessed(int testidx)
&sctx, &cctx, cert, privkey)))
return 0;
+#ifndef OPENSSL_NO_DTLS1_2
if (!TEST_true(SSL_CTX_set_cipher_list(cctx, "AES128-SHA")))
goto end;
+#else
+ /* Default sigalgs are SHA1 based in <DTLS1.2 which is in security level 0 */
+ if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "AES128-SHA:@SECLEVEL=0"))
+ || !TEST_true(SSL_CTX_set_cipher_list(cctx,
+ "AES128-SHA:@SECLEVEL=0")))
+ goto end;
+#endif
c_to_s_fbio = BIO_new(bio_f_tls_dump_filter());
if (!TEST_ptr(c_to_s_fbio))
@@ -167,6 +175,14 @@ static int test_dtls_drop_records(int idx)
&sctx, &cctx, cert, privkey)))
return 0;
+#ifdef OPENSSL_NO_DTLS1_2
+ /* Default sigalgs are SHA1 based in <DTLS1.2 which is in security level 0 */
+ if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
+ || !TEST_true(SSL_CTX_set_cipher_list(cctx,
+ "DEFAULT:@SECLEVEL=0")))
+ goto end;
+#endif
+
if (!TEST_true(SSL_CTX_set_dh_auto(sctx, 1)))
goto end;
@@ -286,6 +302,14 @@ static int test_cookie(void)
SSL_CTX_set_cookie_generate_cb(sctx, generate_cookie_cb);
SSL_CTX_set_cookie_verify_cb(sctx, verify_cookie_cb);
+#ifdef OPENSSL_NO_DTLS1_2
+ /* Default sigalgs are SHA1 based in <DTLS1.2 which is in security level 0 */
+ if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
+ || !TEST_true(SSL_CTX_set_cipher_list(cctx,
+ "DEFAULT:@SECLEVEL=0")))
+ goto end;
+#endif
+
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL))
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
@@ -314,6 +338,14 @@ static int test_dtls_duplicate_records(void)
&sctx, &cctx, cert, privkey)))
return 0;
+#ifdef OPENSSL_NO_DTLS1_2
+ /* Default sigalgs are SHA1 based in <DTLS1.2 which is in security level 0 */
+ if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
+ || !TEST_true(SSL_CTX_set_cipher_list(cctx,
+ "DEFAULT:@SECLEVEL=0")))
+ goto end;
+#endif
+
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL)))
goto end;
diff --git a/test/ssl-tests/16-dtls-certstatus.cnf b/test/ssl-tests/16-dtls-certstatus.cnf
index a561803a55..ee46be4d3b 100644
--- a/test/ssl-tests/16-dtls-certstatus.cnf
+++ b/test/ssl-tests/16-dtls-certstatus.cnf
@@ -15,11 +15,11 @@ client = 0-certstatus-good-client
[0-certstatus-good-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-certstatus-good-client]
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -43,11 +43,11 @@ client = 1-certstatus-bad-client
[1-certstatus-bad-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-certstatus-bad-client]
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
diff --git a/test/ssl-tests/16-dtls-certstatus.cnf.in b/test/ssl-tests/16-dtls-certstatus.cnf.in
index c5545991d2..ebab3d7ca2 100644
--- a/test/ssl-tests/16-dtls-certstatus.cnf.in
+++ b/test/ssl-tests/16-dtls-certstatus.cnf.in
@@ -15,15 +15,22 @@ use warnings;
package ssltests;
use OpenSSL::Test::Utils;
-our @tests = (
+our $fips_mode;
+
+our @tests = ();
+
+our @tests_standard = (
{
name => "certstatus-good",
server => {
+ "CipherString" => "DEFAULT:\@SECLEVEL=0",
extra => {
- "CertStatus" => "GoodResponse",
+ "CertStatus" => "GoodResponse"
},
},
- client => {},
+ client => {
+ "CipherString" => "DEFAULT:\@SECLEVEL=0",
+ },
test => {
"Method" => "DTLS",
"ExpectedResult" => "Success"
@@ -32,11 +39,14 @@ our @tests = (
{
name => "certstatus-bad",
server => {
+ "CipherString" => "DEFAULT:\@SECLEVEL=0",
extra => {
"CertStatus" => "BadResponse",
},
},
- client => {},
+ client => {
+ "CipherString" => "DEFAULT:\@SECLEVEL=0",
+ },
test => {
"Method" => "DTLS",
"ExpectedResult" => "ClientFail"
@@ -48,11 +58,14 @@ our @tests_sctp = (
{
name => "certstatus-good",
server => {
+ "CipherString" => "DEFAULT:\@SECLEVEL=0",
extra => {
"CertStatus" => "GoodResponse",
},
},
- client => {},
+ client => {
+ "CipherString" => "DEFAULT:\@SECLEVEL=0",
+ },
test => {
"Method" => "DTLS",
"UseSCTP" => "Yes",
@@ -62,11 +75,14 @@ our @tests_sctp = (
{
name => "certstatus-bad",
server => {
+ "CipherString" => "DEFAULT:\@SECLEVEL=0",
extra => {
"CertStatus" => "BadResponse",
},
},
- client => {},
+ client => {
+ "CipherString" => "DEFAULT:\@SECLEVEL=0",
+ },
test => {
"Method" => "DTLS",
"UseSCTP" => "Yes",
@@ -75,4 +91,7 @@ our @tests_sctp = (
},
);
-push @tests, @tests_sctp unless disabled("sctp") || disabled("sock");
+if (!$fips_mode || !disabled("dtls1_2")) {
+ push @tests, @tests_standard;
+ push @tests, @tests_sctp unless disabled("sctp") || disabled("sock");
+}
diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf b/test/ssl-tests/18-dtls-renegotiate.cnf
index 9204dd2c5d..0f3d1eae23 100644
--- a/test/ssl-tests/18-dtls-renegotiate.cnf
+++ b/test/ssl-tests/18-dtls-renegotiate.cnf
@@ -22,12 +22,12 @@ client = 0-renegotiate-client-no-resume-client
[0-renegotiate-client-no-resume-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
Options = NoResumptionOnRenegotiation
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-renegotiate-client-no-resume-client]
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -50,11 +50,11 @@ client = 1-renegotiate-client-resume-client
[1-renegotiate-client-resume-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[1-renegotiate-client-resume-client]
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -77,11 +77,11 @@ client = 2-renegotiate-server-resume-client
[2-renegotiate-server-resume-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[2-renegotiate-server-resume-client]
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -104,14 +104,14 @@ client = 3-renegotiate-client-auth-require-client
[3-renegotiate-client-auth-require-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Require
[3-renegotiate-client-auth-require-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
@@ -135,14 +135,14 @@ client = 4-renegotiate-client-auth-once-client
[4-renegotiate-client-auth-once-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
VerifyMode = Once
[4-renegotiate-client-auth-once-client]
Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf.in b/test/ssl-tests/18-dtls-renegotiate.cnf.in
index b8ec735eb2..400ec67d31 100644
--- a/test/ssl-tests/18-dtls-renegotiate.cnf.in
+++ b/test/ssl-tests/18-dtls-renegotiate.cnf.in
@@ -15,20 +15,26 @@ use warnings;
package ssltests;
use OpenSSL::Test::Utils;
+our $fips_mode;
+
our @tests = ();
foreach my $sctp ("No", "Yes")
{
next if disabled("sctp") && $sctp eq "Yes";
+ next if disabled("dtls1_2") && $fips_mode;
my $suffix = ($sctp eq "No") ? "" : "-sctp";
our @tests_basic = (
{
name => "renegotiate-client-no-resume".$suffix,
server => {
+ "CipherString" => 'DEFAULT:@SECLEVEL=0',
"Options" => "NoResumptionOnRenegotiation"
},
- client => {},
+ client => {
+ "CipherString" => 'DEFAULT:@SECLEVEL=0'
+ },
test => {
"Method" => "DTLS",
"UseSCTP" => $sctp,
@@ -39,8 +45,12 @@ foreach my $sctp ("No", "Yes")
},
{
name => "renegotiate-client-resume".$suffix,
- server => {},
- client => {},
+ server => {
+ "CipherString" => 'DEFAULT:@SECLEVEL=0'
+ },
+ client => {
+ "CipherString" => 'DEFAULT:@SECLEVEL=0'
+ },
test => {
"Method" => "DTLS",
"UseSCTP" => $sctp,
@@ -60,8 +70,12 @@ foreach my $sctp ("No", "Yes")
# and if so, what to?
{
name => "renegotiate-server-resume".$suffix,
- server => {},
- client => {},
+ server => {
+ "CipherString" => 'DEFAULT:@SECLEVEL=0'
+ },
+ client => {
+ "CipherString" => 'DEFAULT:@SECLEVEL=0'
+ },
test => {
"Method" => "DTLS",
"UseSCTP" => $sctp,
@@ -75,10 +89,12 @@ foreach my $sctp ("No", "Yes")
server => {
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require",
+ "CipherString" => 'DEFAULT:@SECLEVEL=0'
},
client => {
"Certificate" => test_pem("ee-client-chain.pem"),
"PrivateKey" => test_pem("ee-key.pem"),
+ "CipherString" => 'DEFAULT:@SECLEVEL=0'
},
test => {
"Method" => "DTLS",
@@ -93,10 +109,12 @@ foreach my $sctp ("No", "Yes")
server => {
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Once",
+ "CipherString" => 'DEFAULT:@SECLEVEL=0'
},
client => {
"Certificate" => test_pem("ee-client-chain.pem"),
"PrivateKey" => test_pem("ee-key.pem"),
+ "CipherString" => 'DEFAULT:@SECLEVEL=0'
},
test => {
"Method" => "DTLS",
diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm
index 9e9b9a892d..4e4ce365d6 100644
--- a/test/ssl-tests/protocol_version.pm
+++ b/test/ssl-tests/protocol_version.pm
@@ -102,7 +102,10 @@ $min_dtls_enabled_fips = min_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disab
$max_dtls_enabled_fips = max_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips);
sub no_tests {
- my ($dtls) = @_;
+ my ($dtls, $fips) = @_;
+ if ($dtls && $fips) {
+ return disabled("dtls1_2");
+ }
return $dtls ? alldisabled("dtls1", "dtls1_2") :
alldisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3");
}
@@ -134,7 +137,7 @@ sub generate_version_tests {
$max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
}
- if (no_tests($dtls)) {
+ if (no_tests($dtls, $fips)) {
return;
}
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 4625d34046..d4c8bf4d38 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -971,6 +971,19 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
privkey)))
goto end;
+#ifdef OPENSSL_NO_DTLS1_2
+ if (smeth == DTLS_server_method()) {
+ /*
+ * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
+ * level 0
+ */
+ if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
+ || !TEST_true(SSL_CTX_set_cipher_list(cctx,
+ "DEFAULT:@SECLEVEL=0")))
+ goto end;
+ }
+#endif
+
if (read_ahead) {
/*
* Test that read_ahead works correctly when dealing with large
@@ -1436,6 +1449,11 @@ static int test_large_message_tls_read_ahead(void)
#ifndef OPENSSL_NO_DTLS
static int test_large_message_dtls(void)
{
+# ifdef OPENSSL_NO_DTLS1_2
+ /* Not supported in the FIPS provider */
+ if (is_fips)
+ return 1;
+# endif
/*
* read_ahead is not relevant to DTLS because DTLS always acts as if
* read_ahead is set.
@@ -1467,6 +1485,26 @@ static int execute_cleanse_plaintext(const SSL_METHOD *smeth,
privkey)))
goto end;
+#ifdef OPENSSL_NO_DTLS1_2
+ if (smeth == DTLS_server_method()) {
+# ifdef OPENSSL_NO_DTLS1_2
+ /* Not supported in the FIPS provider */
+ if (is_fips) {
+ testresult = 1;
+ goto end;
+ };
+# endif
+ /*
+ * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
+ * level 0
+ */
+ if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
+ || !TEST_true(SSL_CTX_set_cipher_list(cctx,
+ "DEFAULT:@SECLEVEL=0")))
+ goto end;
+ }
+#endif
+
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL)))
goto end;
@@ -1550,6 +1588,7 @@ static int test_cleanse_plaintext(void)
#endif
#if !defined(OPENSSL_NO_DTLS)
+
if (!TEST_true(execute_cleanse_plaintext(DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION,
@@ -6619,6 +6658,22 @@ static int test_ssl_pending(int tst)
DTLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
+
+# ifdef OPENSSL_NO_DTLS1_2
+ /* Not supported in the FIPS provider */
+ if (is_fips) {
+ testresult = 1;
+ goto end;
+ };
+ /*
+ * Default sigalgs are SHA1 based in <DTLS1.2 which is in security
+ * level 0
+ */
+ if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
+ || !TEST_true(SSL_CTX_set_cipher_list(cctx,
+ "DEFAULT:@SECLEVEL=0")))
+ goto end;
+# endif
#else
return 1;
#endif
More information about the openssl-commits
mailing list