[openssl] master update
bernd.edlinger at hotmail.de
bernd.edlinger at hotmail.de
Fri Nov 26 05:46:49 UTC 2021
The branch master has been updated
via 0a10825a009c830125fef94c81d34e41300a24a5 (commit)
from 8e22f9d6d956ad583afe10b986519731c113ac80 (commit)
- Log -----------------------------------------------------------------
commit 0a10825a009c830125fef94c81d34e41300a24a5
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date: Wed Oct 24 23:10:38 2018 +0200
Enable brainpool curves for TLS1.3
See the recently assigned brainpool code points at:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7485)
-----------------------------------------------------------------------
Summary of changes:
include/internal/tlsgroups.h | 10 +++
ssl/s3_lib.c | 5 +-
ssl/ssl_local.h | 5 ++
ssl/statem/extensions.c | 2 +-
ssl/statem/extensions_clnt.c | 20 +++++-
ssl/statem/extensions_srvr.c | 15 ++--
ssl/statem/statem_lib.c | 6 ++
ssl/t1_lib.c | 129 +++++++++++++++++++++++++----------
ssl/t1_trce.c | 3 +
test/ssl-tests/20-cert-select.cnf | 4 +-
test/ssl-tests/20-cert-select.cnf.in | 4 +-
11 files changed, 153 insertions(+), 50 deletions(-)
diff --git a/include/internal/tlsgroups.h b/include/internal/tlsgroups.h
index 8a35ced122..73fb53bc5f 100644
--- a/include/internal/tlsgroups.h
+++ b/include/internal/tlsgroups.h
@@ -41,6 +41,16 @@
# define OSSL_TLS_GROUP_ID_brainpoolP512r1 0x001C
# define OSSL_TLS_GROUP_ID_x25519 0x001D
# define OSSL_TLS_GROUP_ID_x448 0x001E
+# define OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13 0x001F
+# define OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13 0x0020
+# define OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13 0x0021
+# define OSSL_TLS_GROUP_ID_gc256A 0x0022
+# define OSSL_TLS_GROUP_ID_gc256B 0x0023
+# define OSSL_TLS_GROUP_ID_gc256C 0x0024
+# define OSSL_TLS_GROUP_ID_gc256D 0x0025
+# define OSSL_TLS_GROUP_ID_gc512A 0x0026
+# define OSSL_TLS_GROUP_ID_gc512B 0x0027
+# define OSSL_TLS_GROUP_ID_gc512C 0x0028
# define OSSL_TLS_GROUP_ID_ffdhe2048 0x0100
# define OSSL_TLS_GROUP_ID_ffdhe3072 0x0101
# define OSSL_TLS_GROUP_ID_ffdhe4096 0x0102
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 88565a7000..1a89bde851 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3607,8 +3607,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
int *cptr = parg;
for (i = 0; i < clistlen; i++) {
+ uint16_t cid = SSL_IS_TLS13(s)
+ ? ssl_group_id_tls13_to_internal(clist[i])
+ : clist[i];
const TLS_GROUP_INFO *cinf
- = tls1_group_id_lookup(s->ctx, clist[i]);
+ = tls1_group_id_lookup(s->ctx, cid);
if (cinf != NULL)
cptr[i] = tls1_group_id2nid(cinf->group_id, 1);
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 9b88140a28..ddae48b2af 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2169,6 +2169,9 @@ typedef enum downgrade_en {
#define TLSEXT_SIGALG_ed25519 0x0807
#define TLSEXT_SIGALG_ed448 0x0808
+#define TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256 0x081a
+#define TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384 0x081b
+#define TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512 0x081c
/* Known PSK key exchange modes */
#define TLSEXT_KEX_MODE_KE 0x00
@@ -2642,6 +2645,8 @@ __owur int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s);
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n);
+__owur uint16_t ssl_group_id_internal_to_tls13(uint16_t curve_id);
+__owur uint16_t ssl_group_id_tls13_to_internal(uint16_t curve_id);
__owur const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t curve_id);
__owur int tls1_group_id2nid(uint16_t group_id, int include_unknown);
__owur uint16_t tls1_nid2group_id(int nid);
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index bc437be26a..0ac8253be3 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1369,7 +1369,7 @@ static int final_key_share(SSL *s, unsigned int context, int sent)
group_id = pgroups[i];
if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
- 1))
+ 2))
break;
}
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index b38c9ca684..d6d4e55ce7 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -224,6 +224,21 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
&& tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
+#ifndef OPENSSL_NO_TLS1_3
+ int ctmp13 = ssl_group_id_internal_to_tls13(ctmp);
+
+ if (ctmp13 != 0 && ctmp13 != ctmp
+ && max_version == TLS1_3_VERSION) {
+ if (!WPACKET_put_bytes_u16(pkt, ctmp13)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return EXT_RETURN_FAIL;
+ }
+ tls13added++;
+ added++;
+ if (min_version == TLS1_3_VERSION)
+ continue;
+ }
+#endif
if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
@@ -622,7 +637,7 @@ static int add_key_share(SSL *s, WPACKET *pkt, unsigned int curve_id)
}
/* Create KeyShareEntry */
- if (!WPACKET_put_bytes_u16(pkt, curve_id)
+ if (!WPACKET_put_bytes_u16(pkt, ssl_group_id_internal_to_tls13(curve_id))
|| !WPACKET_sub_memcpy_u16(pkt, encoded_point, encodedlen)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
@@ -675,6 +690,8 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt,
curve_id = s->s3.group_id;
} else {
for (i = 0; i < num_groups; i++) {
+ if (ssl_group_id_internal_to_tls13(pgroups[i]) == 0)
+ continue;
if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
continue;
@@ -1747,6 +1764,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
return 0;
}
+ group_id = ssl_group_id_tls13_to_internal(group_id);
if ((context & SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST) != 0) {
const uint16_t *pgroups = NULL;
size_t i, num_groups;
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 3afb18c312..fa64435a00 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -635,7 +635,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
* we requested, and must be the only key_share sent.
*/
if (s->s3.group_id != 0
- && (group_id != s->s3.group_id
+ && (ssl_group_id_tls13_to_internal(group_id) != s->s3.group_id
|| PACKET_remaining(&key_share_list) != 0)) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
return 0;
@@ -653,16 +653,18 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
continue;
}
+ s->s3.group_id = group_id;
+ /* Cache the selected group ID in the SSL_SESSION */
+ s->session->kex_group = group_id;
+
+ group_id = ssl_group_id_tls13_to_internal(group_id);
+
if ((s->s3.peer_tmp = ssl_generate_param_group(s, group_id)) == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
return 0;
}
- s->s3.group_id = group_id;
- /* Cache the selected group ID in the SSL_SESSION */
- s->session->kex_group = group_id;
-
if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp,
PACKET_data(&encoded_pt),
PACKET_remaining(&encoded_pt)) <= 0) {
@@ -1591,7 +1593,8 @@ EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt,
}
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
|| !WPACKET_start_sub_packet_u16(pkt)
- || !WPACKET_put_bytes_u16(pkt, s->s3.group_id)
+ || !WPACKET_put_bytes_u16(pkt, ssl_group_id_internal_to_tls13(
+ s->s3.group_id))
|| !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 79ac9be04b..334e1c7bd4 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -2165,9 +2165,15 @@ int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
if (groups == NULL || num_groups == 0)
return 0;
+ if (checkallow == 1)
+ group_id = ssl_group_id_tls13_to_internal(group_id);
+
for (i = 0; i < num_groups; i++) {
uint16_t group = groups[i];
+ if (checkallow == 2)
+ group = ssl_group_id_tls13_to_internal(group);
+
if (group_id == group
&& (!checkallow
|| tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index fc32bb3556..88912be23c 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -171,13 +171,13 @@ static struct {
{NID_brainpoolP512r1, OSSL_TLS_GROUP_ID_brainpoolP512r1},
{EVP_PKEY_X25519, OSSL_TLS_GROUP_ID_x25519},
{EVP_PKEY_X448, OSSL_TLS_GROUP_ID_x448},
- {NID_id_tc26_gost_3410_2012_256_paramSetA, 0x0022},
- {NID_id_tc26_gost_3410_2012_256_paramSetB, 0x0023},
- {NID_id_tc26_gost_3410_2012_256_paramSetC, 0x0024},
- {NID_id_tc26_gost_3410_2012_256_paramSetD, 0x0025},
- {NID_id_tc26_gost_3410_2012_512_paramSetA, 0x0026},
- {NID_id_tc26_gost_3410_2012_512_paramSetB, 0x0027},
- {NID_id_tc26_gost_3410_2012_512_paramSetC, 0x0028},
+ {NID_id_tc26_gost_3410_2012_256_paramSetA, OSSL_TLS_GROUP_ID_gc256A},
+ {NID_id_tc26_gost_3410_2012_256_paramSetB, OSSL_TLS_GROUP_ID_gc256B},
+ {NID_id_tc26_gost_3410_2012_256_paramSetC, OSSL_TLS_GROUP_ID_gc256C},
+ {NID_id_tc26_gost_3410_2012_256_paramSetD, OSSL_TLS_GROUP_ID_gc256D},
+ {NID_id_tc26_gost_3410_2012_512_paramSetA, OSSL_TLS_GROUP_ID_gc512A},
+ {NID_id_tc26_gost_3410_2012_512_paramSetB, OSSL_TLS_GROUP_ID_gc512B},
+ {NID_id_tc26_gost_3410_2012_512_paramSetC, OSSL_TLS_GROUP_ID_gc512C},
{NID_ffdhe2048, OSSL_TLS_GROUP_ID_ffdhe2048},
{NID_ffdhe3072, OSSL_TLS_GROUP_ID_ffdhe3072},
{NID_ffdhe4096, OSSL_TLS_GROUP_ID_ffdhe4096},
@@ -193,28 +193,28 @@ static const unsigned char ecformats_default[] = {
/* The default curves */
static const uint16_t supported_groups_default[] = {
- 29, /* X25519 (29) */
- 23, /* secp256r1 (23) */
- 30, /* X448 (30) */
- 25, /* secp521r1 (25) */
- 24, /* secp384r1 (24) */
- 34, /* GC256A (34) */
- 35, /* GC256B (35) */
- 36, /* GC256C (36) */
- 37, /* GC256D (37) */
- 38, /* GC512A (38) */
- 39, /* GC512B (39) */
- 40, /* GC512C (40) */
- 0x100, /* ffdhe2048 (0x100) */
- 0x101, /* ffdhe3072 (0x101) */
- 0x102, /* ffdhe4096 (0x102) */
- 0x103, /* ffdhe6144 (0x103) */
- 0x104, /* ffdhe8192 (0x104) */
+ OSSL_TLS_GROUP_ID_x25519, /* X25519 (29) */
+ OSSL_TLS_GROUP_ID_secp256r1, /* secp256r1 (23) */
+ OSSL_TLS_GROUP_ID_x448, /* X448 (30) */
+ OSSL_TLS_GROUP_ID_secp521r1, /* secp521r1 (25) */
+ OSSL_TLS_GROUP_ID_secp384r1, /* secp384r1 (24) */
+ OSSL_TLS_GROUP_ID_gc256A, /* GC256A (34) */
+ OSSL_TLS_GROUP_ID_gc256B, /* GC256B (35) */
+ OSSL_TLS_GROUP_ID_gc256C, /* GC256C (36) */
+ OSSL_TLS_GROUP_ID_gc256D, /* GC256D (37) */
+ OSSL_TLS_GROUP_ID_gc512A, /* GC512A (38) */
+ OSSL_TLS_GROUP_ID_gc512B, /* GC512B (39) */
+ OSSL_TLS_GROUP_ID_gc512C, /* GC512C (40) */
+ OSSL_TLS_GROUP_ID_ffdhe2048, /* ffdhe2048 (0x100) */
+ OSSL_TLS_GROUP_ID_ffdhe3072, /* ffdhe3072 (0x101) */
+ OSSL_TLS_GROUP_ID_ffdhe4096, /* ffdhe4096 (0x102) */
+ OSSL_TLS_GROUP_ID_ffdhe6144, /* ffdhe6144 (0x103) */
+ OSSL_TLS_GROUP_ID_ffdhe8192, /* ffdhe8192 (0x104) */
};
static const uint16_t suiteb_curves[] = {
- TLSEXT_curve_P_256,
- TLSEXT_curve_P_384
+ OSSL_TLS_GROUP_ID_secp256r1,
+ OSSL_TLS_GROUP_ID_secp384r1,
};
struct provider_group_data_st {
@@ -433,6 +433,42 @@ static uint16_t tls1_group_name2id(SSL_CTX *ctx, const char *name)
return 0;
}
+uint16_t ssl_group_id_internal_to_tls13(uint16_t curve_id)
+{
+ switch(curve_id) {
+ case OSSL_TLS_GROUP_ID_brainpoolP256r1:
+ return OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13;
+ case OSSL_TLS_GROUP_ID_brainpoolP384r1:
+ return OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13;
+ case OSSL_TLS_GROUP_ID_brainpoolP512r1:
+ return OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13;
+ case OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13:
+ case OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13:
+ case OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13:
+ return 0;
+ default:
+ return curve_id;
+ }
+}
+
+uint16_t ssl_group_id_tls13_to_internal(uint16_t curve_id)
+{
+ switch(curve_id) {
+ case OSSL_TLS_GROUP_ID_brainpoolP256r1:
+ case OSSL_TLS_GROUP_ID_brainpoolP384r1:
+ case OSSL_TLS_GROUP_ID_brainpoolP512r1:
+ return 0;
+ case OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13:
+ return OSSL_TLS_GROUP_ID_brainpoolP256r1;
+ case OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13:
+ return OSSL_TLS_GROUP_ID_brainpoolP384r1;
+ case OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13:
+ return OSSL_TLS_GROUP_ID_brainpoolP512r1;
+ default:
+ return curve_id;
+ }
+}
+
const TLS_GROUP_INFO *tls1_group_id_lookup(SSL_CTX *ctx, uint16_t group_id)
{
size_t i;
@@ -611,9 +647,9 @@ uint16_t tls1_shared_group(SSL *s, int nmatch)
unsigned long cid = s->s3.tmp.new_cipher->id;
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
- return TLSEXT_curve_P_256;
+ return OSSL_TLS_GROUP_ID_secp256r1;
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
- return TLSEXT_curve_P_384;
+ return OSSL_TLS_GROUP_ID_secp384r1;
/* Should never happen */
return 0;
}
@@ -634,10 +670,17 @@ uint16_t tls1_shared_group(SSL *s, int nmatch)
for (k = 0, i = 0; i < num_pref; i++) {
uint16_t id = pref[i];
+ uint16_t cid = id;
- if (!tls1_in_list(id, supp, num_supp)
- || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED))
- continue;
+ if (SSL_IS_TLS13(s)) {
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE)
+ cid = ssl_group_id_internal_to_tls13(id);
+ else
+ cid = id = ssl_group_id_tls13_to_internal(id);
+ }
+ if (!tls1_in_list(cid, supp, num_supp)
+ || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED))
+ continue;
if (nmatch == k)
return id;
k++;
@@ -782,10 +825,10 @@ int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups)
unsigned long cid = s->s3.tmp.new_cipher->id;
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) {
- if (group_id != TLSEXT_curve_P_256)
+ if (group_id != OSSL_TLS_GROUP_ID_secp256r1)
return 0;
} else if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384) {
- if (group_id != TLSEXT_curve_P_384)
+ if (group_id != OSSL_TLS_GROUP_ID_secp384r1)
return 0;
} else {
/* Should never happen */
@@ -931,9 +974,9 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int check_ee_md)
size_t i;
/* Check to see we have necessary signing algorithm */
- if (group_id == TLSEXT_curve_P_256)
+ if (group_id == OSSL_TLS_GROUP_ID_secp256r1)
check_md = NID_ecdsa_with_SHA256;
- else if (group_id == TLSEXT_curve_P_384)
+ else if (group_id == OSSL_TLS_GROUP_ID_secp384r1)
check_md = NID_ecdsa_with_SHA384;
else
return 0; /* Should never happen */
@@ -966,9 +1009,9 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
* curves permitted.
*/
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
- return tls1_check_group_id(s, TLSEXT_curve_P_256, 1);
+ return tls1_check_group_id(s, OSSL_TLS_GROUP_ID_secp256r1, 1);
if (cid == TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
- return tls1_check_group_id(s, TLSEXT_curve_P_384, 1);
+ return tls1_check_group_id(s, OSSL_TLS_GROUP_ID_secp384r1, 1);
return 0;
}
@@ -980,6 +1023,9 @@ static const uint16_t tls12_sigalgs[] = {
TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
TLSEXT_SIGALG_ed25519,
TLSEXT_SIGALG_ed448,
+ TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256,
+ TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384,
+ TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512,
TLSEXT_SIGALG_rsa_pss_pss_sha256,
TLSEXT_SIGALG_rsa_pss_pss_sha384,
@@ -1042,6 +1088,15 @@ static const SIGALG_LOOKUP sigalg_lookup_tbl[] = {
{NULL, TLSEXT_SIGALG_ecdsa_sha1,
NID_sha1, SSL_MD_SHA1_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
NID_ecdsa_with_SHA1, NID_undef, 1},
+ {"ecdsa_brainpoolP256r1_sha256", TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256,
+ NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
+ NID_ecdsa_with_SHA256, NID_brainpoolP256r1, 1},
+ {"ecdsa_brainpoolP384r1_sha384", TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384,
+ NID_sha384, SSL_MD_SHA384_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
+ NID_ecdsa_with_SHA384, NID_brainpoolP384r1, 1},
+ {"ecdsa_brainpoolP512r1_sha512", TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512,
+ NID_sha512, SSL_MD_SHA512_IDX, EVP_PKEY_EC, SSL_PKEY_ECC,
+ NID_ecdsa_with_SHA512, NID_brainpoolP512r1, 1},
{"rsa_pss_rsae_sha256", TLSEXT_SIGALG_rsa_pss_rsae_sha256,
NID_sha256, SSL_MD_SHA256_IDX, EVP_PKEY_RSA_PSS, SSL_PKEY_RSA,
NID_undef, NID_undef, 1},
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index 405b1e6864..3ae97ac822 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -584,6 +584,9 @@ static const ssl_trace_tbl ssl_sigalg_tbl[] = {
{TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256, "gost2012_256"},
{TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512, "gost2012_512"},
{TLSEXT_SIGALG_gostr34102001_gostr3411, "gost2001_gost94"},
+ {TLSEXT_SIGALG_ecdsa_brainpoolP256r1_sha256, "ecdsa_brainpoolP256r1_sha256"},
+ {TLSEXT_SIGALG_ecdsa_brainpoolP384r1_sha384, "ecdsa_brainpoolP384r1_sha384"},
+ {TLSEXT_SIGALG_ecdsa_brainpoolP512r1_sha512, "ecdsa_brainpoolP512r1_sha512"},
};
static const ssl_trace_tbl ssl_ctype_tbl[] = {
diff --git a/test/ssl-tests/20-cert-select.cnf b/test/ssl-tests/20-cert-select.cnf
index 79dcd4c8f4..853deff1d4 100644
--- a/test/ssl-tests/20-cert-select.cnf
+++ b/test/ssl-tests/20-cert-select.cnf
@@ -1728,7 +1728,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-52]
-ExpectedResult = ClientFail
+ExpectedResult = ServerFail
# ===========================================================
@@ -1754,7 +1754,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-53]
-ExpectedResult = ServerFail
+ExpectedResult = Success
# ===========================================================
diff --git a/test/ssl-tests/20-cert-select.cnf.in b/test/ssl-tests/20-cert-select.cnf.in
index 30cde592c6..26c7318974 100644
--- a/test/ssl-tests/20-cert-select.cnf.in
+++ b/test/ssl-tests/20-cert-select.cnf.in
@@ -909,7 +909,7 @@ my @tests_tls_1_3_non_fips = (
#We only configured brainpoolP256r1 on the client side, but TLSv1.3
#is enabled and this group is not allowed in TLSv1.3. Therefore this
#should fail
- "ExpectedResult" => "ClientFail"
+ "ExpectedResult" => "ServerFail"
},
},
{
@@ -924,7 +924,7 @@ my @tests_tls_1_3_non_fips = (
"MaxProtocol" => "TLSv1.3"
},
test => {
- "ExpectedResult" => "ServerFail"
+ "ExpectedResult" => "Success"
},
},
);
More information about the openssl-commits
mailing list