Fix no-ec and no-tls1_2

author Matt Caswell <matt@openssl.org>

Mon, 12 Nov 2018 14:23:07 +0000 (14:23 +0000)

committer Matt Caswell <matt@openssl.org>

Wed, 14 Nov 2018 11:28:01 +0000 (11:28 +0000)
author Matt Caswell <matt@openssl.org>
Mon, 12 Nov 2018 14:23:07 +0000 (14:23 +0000)
committer Matt Caswell <matt@openssl.org>
Wed, 14 Nov 2018 11:28:01 +0000 (11:28 +0000)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h

index e9c5c5cf80520f942d41062f7bde08401fe5f0f3..70e5a1740f9c4d1ec06f3c099b80bdbf8be84cbf 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2572,7 +2572,9 @@ __owur int tls1_process_sigalgs(SSL *s);
  __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
  __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
  __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
+#  ifndef OPENSSL_NO_EC
  __owur int tls_check_sigalg_curve(const SSL *s, int curve);
+#  endif
  __owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey);
  __owur int ssl_set_client_disabled(SSL *s);
  __owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c

index 95c22062ba68cbf8478408e1e3b3d939ada6a062..4324896f500ac11aa6b18fe5ccbaccc483d0c670 100644 (file)
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1506,8 +1506,11 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
   */
  static int is_tls13_capable(const SSL *s)
  {
-    int i, curve;
+    int i;
+#ifndef OPENSSL_NO_EC
+    int curve;
      EC_KEY *eckey;
+#endif
  
  #ifndef OPENSSL_NO_PSK
      if (s->psk_server_callback != NULL)
@@ -1530,6 +1533,7 @@ static int is_tls13_capable(const SSL *s)
          }
          if (!ssl_has_cert(s, i))
              continue;
+#ifndef OPENSSL_NO_EC
          if (i != SSL_PKEY_ECC)
              return 1;
          /*
@@ -1543,6 +1547,9 @@ static int is_tls13_capable(const SSL *s)
          curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
          if (tls_check_sigalg_curve(s, curve))
              return 1;
+#else
+        return 1;
+#endif
      }
  
      return 0;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index fe13a39c38cd2af7d8a787d2587854e34e161699..3415c6335f539978b548dd3b1c1fe6e3645b2437 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -949,6 +949,7 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
      }
  }
  
+#ifndef OPENSSL_NO_EC
  /*
   * Called by servers only. Checks that we have a sig alg that supports the
   * specified EC curve.
@@ -979,6 +980,7 @@ int tls_check_sigalg_curve(const SSL *s, int curve)
  
      return 0;
  }
+#endif
  
  /*
   * Check signature algorithm is consistent with sent supported signature
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t

index da8302d206bf33b1ff9c25f61118394ddc5e89a4..db2271c388dd846caaf2b1042a8028296c934040 100644 (file)
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -69,6 +69,7 @@ my %conf_dependent_tests = (
    "22-compression.conf" => !$is_default_tls,
    "25-cipher.conf" => disabled("poly1305") || disabled("chacha"),
    "27-ticket-appdata.conf" => !$is_default_tls,
+  "28-seclevel.conf" => disabled("tls1_2") || $no_ec,
  );
  
  # Add your test here if it should be skipped for some compile-time
diff --git a/test/ssl-tests/28-seclevel.conf b/test/ssl-tests/28-seclevel.conf

index ddc2448f853a40d658e4c55405b11313dabdcf68..f863f68b080115a10ae2df6b3ad6e36372f264ec 100644 (file)
--- a/test/ssl-tests/28-seclevel.conf
+++ b/test/ssl-tests/28-seclevel.conf
@@ -4,8 +4,8 @@ num_tests = 4
  
  test-0 = 0-SECLEVEL 3 with default key
  test-1 = 1-SECLEVEL 3 with ED448 key
-test-2 = 2-SECLEVEL 3 with ED448 key, TLSv1.2
-test-3 = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE
+test-2 = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE
+test-3 = 3-SECLEVEL 3 with ED448 key, TLSv1.2
  # ===========================================================
  
  [0-SECLEVEL 3 with default key]
@@ -54,22 +54,22 @@ ExpectedResult = Success
  
  # ===========================================================
  
-[2-SECLEVEL 3 with ED448 key, TLSv1.2]
-ssl_conf = 2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE]
+ssl_conf = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl
  
-[2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
-server = 2-SECLEVEL 3 with ED448 key, TLSv1.2-server
-client = 2-SECLEVEL 3 with ED448 key, TLSv1.2-client
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
+server = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
+client = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client
  
-[2-SECLEVEL 3 with ED448 key, TLSv1.2-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
  CipherString = DEFAULT:@SECLEVEL=3
-MaxProtocol = TLSv1.2
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+Groups = X25519
+PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
  
-[2-SECLEVEL 3 with ED448 key, TLSv1.2-client]
-CipherString = DEFAULT
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
+CipherString = ECDHE:@SECLEVEL=3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
  VerifyMode = Peer
  
  [test-2]
@@ -78,22 +78,22 @@ ExpectedResult = Success
  
  # ===========================================================
  
-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE]
-ssl_conf = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl
+[3-SECLEVEL 3 with ED448 key, TLSv1.2]
+ssl_conf = 3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl
  
-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
-server = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
-client = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client
+[3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
+server = 3-SECLEVEL 3 with ED448 key, TLSv1.2-server
+client = 3-SECLEVEL 3 with ED448 key, TLSv1.2-client
  
-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
+[3-SECLEVEL 3 with ED448 key, TLSv1.2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
  CipherString = DEFAULT:@SECLEVEL=3
-Groups = X25519
-PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
  
-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
-CipherString = ECDHE:@SECLEVEL=3
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
+[3-SECLEVEL 3 with ED448 key, TLSv1.2-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
  VerifyMode = Peer
  
  [test-3]
diff --git a/test/ssl-tests/28-seclevel.conf.in b/test/ssl-tests/28-seclevel.conf.in

index 5a1ee4638fd186e4649567c44d92e1e4ae7c6ed8..9f85a955e194e413d33e993bc7a177070b779737 100644 (file)
--- a/test/ssl-tests/28-seclevel.conf.in
+++ b/test/ssl-tests/28-seclevel.conf.in
@@ -10,6 +10,7 @@
  ## SSL test configurations
  
  package ssltests;
+use OpenSSL::Test::Utils;
  
  our @tests = (
      {
@@ -18,6 +19,9 @@ our @tests = (
          client => { },
          test   => { "ExpectedResult" => "ServerFail" },
      },
+);
+
+our @tests_ec = (
      {
          name => "SECLEVEL 3 with ED448 key",
          server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
@@ -26,15 +30,6 @@ our @tests = (
          client => { },
          test   => { "ExpectedResult" => "Success" },
      },
-    {
-        name => "SECLEVEL 3 with ED448 key, TLSv1.2",
-        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
-                    "Certificate" => test_pem("server-ed448-cert.pem"),
-                    "PrivateKey" => test_pem("server-ed448-key.pem"),
-                    "MaxProtocol" => "TLSv1.2" },
-        client => { },
-        test   => { "ExpectedResult" => "Success" },
-    },
      {
          name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
          server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
@@ -46,3 +41,18 @@ our @tests = (
          test   => { "ExpectedResult" => "Success" },
      },
  );
+
+our @tests_tls1_2 = (
+    {
+        name => "SECLEVEL 3 with ED448 key, TLSv1.2",
+        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
+                    "Certificate" => test_pem("server-ed448-cert.pem"),
+                    "PrivateKey" => test_pem("server-ed448-key.pem"),
+                    "MaxProtocol" => "TLSv1.2" },
+        client => { },
+        test   => { "ExpectedResult" => "Success" },
+    },
+);
+
+push @tests, @tests_ec unless disabled("ec");
+push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
author	Matt Caswell <matt@openssl.org>
	Mon, 12 Nov 2018 14:23:07 +0000 (14:23 +0000)
committer	Matt Caswell <matt@openssl.org>
	Wed, 14 Nov 2018 11:28:01 +0000 (11:28 +0000)
ssl/ssl_locl.h		patch \| blob \| history
ssl/statem/statem_lib.c		patch \| blob \| history
ssl/t1_lib.c		patch \| blob \| history
test/recipes/80-test_ssl_new.t		patch \| blob \| history
test/ssl-tests/28-seclevel.conf		patch \| blob \| history
test/ssl-tests/28-seclevel.conf.in		patch \| blob \| history