From 75b68c9e4e8591a4ebe083cb207aeb121baf549f Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 12 Oct 2018 17:24:14 +0200 Subject: [PATCH] Unbreak SECLEVEL 3 regression causing it to not accept any ciphers. Reviewed-by: Kurt Roeckx Reviewed-by: Richard Levitte GH: #7391 --- ssl/ssl_cert.c | 4 +- test/recipes/80-test_ssl_new.t | 2 +- test/ssl-tests/28-seclevel.conf | 102 +++++++++++++++++++++++++++++ test/ssl-tests/28-seclevel.conf.in | 48 ++++++++++++++ 4 files changed, 153 insertions(+), 3 deletions(-) create mode 100644 test/ssl-tests/28-seclevel.conf create mode 100644 test/ssl-tests/28-seclevel.conf.in diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 52a4a7eaad..7d7357fb3a 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -951,8 +951,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, if (level >= 2 && c->algorithm_enc == SSL_RC4) return 0; /* Level 3: forward secure ciphersuites only */ - if (level >= 3 && (c->min_tls != TLS1_3_VERSION || - !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))) + if (level >= 3 && c->min_tls != TLS1_3_VERSION && + !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))) return 0; break; } diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index e15d87eb46..da8302d206 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -28,7 +28,7 @@ map { s/\^// } @conf_files if $^O eq "VMS"; # We hard-code the number of tests to double-check that the globbing above # finds all files as expected. -plan tests => 27; # = scalar @conf_srcs +plan tests => 28; # = scalar @conf_srcs # Some test results depend on the configuration of enabled protocols. We only # verify generated sources in the default configuration. diff --git a/test/ssl-tests/28-seclevel.conf b/test/ssl-tests/28-seclevel.conf new file mode 100644 index 0000000000..ddc2448f85 --- /dev/null +++ b/test/ssl-tests/28-seclevel.conf @@ -0,0 +1,102 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 4 + +test-0 = 0-SECLEVEL 3 with default key +test-1 = 1-SECLEVEL 3 with ED448 key +test-2 = 2-SECLEVEL 3 with ED448 key, TLSv1.2 +test-3 = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE +# =========================================================== + +[0-SECLEVEL 3 with default key] +ssl_conf = 0-SECLEVEL 3 with default key-ssl + +[0-SECLEVEL 3 with default key-ssl] +server = 0-SECLEVEL 3 with default key-server +client = 0-SECLEVEL 3 with default key-client + +[0-SECLEVEL 3 with default key-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT:@SECLEVEL=3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[0-SECLEVEL 3 with default key-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-0] +ExpectedResult = ServerFail + + +# =========================================================== + +[1-SECLEVEL 3 with ED448 key] +ssl_conf = 1-SECLEVEL 3 with ED448 key-ssl + +[1-SECLEVEL 3 with ED448 key-ssl] +server = 1-SECLEVEL 3 with ED448 key-server +client = 1-SECLEVEL 3 with ED448 key-client + +[1-SECLEVEL 3 with ED448 key-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +CipherString = DEFAULT:@SECLEVEL=3 +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem + +[1-SECLEVEL 3 with ED448 key-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-1] +ExpectedResult = Success + + +# =========================================================== + +[2-SECLEVEL 3 with ED448 key, TLSv1.2] +ssl_conf = 2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl + +[2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl] +server = 2-SECLEVEL 3 with ED448 key, TLSv1.2-server +client = 2-SECLEVEL 3 with ED448 key, TLSv1.2-client + +[2-SECLEVEL 3 with ED448 key, TLSv1.2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem +CipherString = DEFAULT:@SECLEVEL=3 +MaxProtocol = TLSv1.2 +PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem + +[2-SECLEVEL 3 with ED448 key, TLSv1.2-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-2] +ExpectedResult = Success + + +# =========================================================== + +[3-SECLEVEL 3 with P-384 key, X25519 ECDHE] +ssl_conf = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl + +[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl] +server = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server +client = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client + +[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server] +Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem +CipherString = DEFAULT:@SECLEVEL=3 +Groups = X25519 +PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem + +[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client] +CipherString = ECDHE:@SECLEVEL=3 +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem +VerifyMode = Peer + +[test-3] +ExpectedResult = Success + + diff --git a/test/ssl-tests/28-seclevel.conf.in b/test/ssl-tests/28-seclevel.conf.in new file mode 100644 index 0000000000..5a1ee4638f --- /dev/null +++ b/test/ssl-tests/28-seclevel.conf.in @@ -0,0 +1,48 @@ +# -*- mode: perl; -*- +# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +## SSL test configurations + +package ssltests; + +our @tests = ( + { + name => "SECLEVEL 3 with default key", + server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" }, + client => { }, + test => { "ExpectedResult" => "ServerFail" }, + }, + { + name => "SECLEVEL 3 with ED448 key", + server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", + "Certificate" => test_pem("server-ed448-cert.pem"), + "PrivateKey" => test_pem("server-ed448-key.pem") }, + client => { }, + test => { "ExpectedResult" => "Success" }, + }, + { + name => "SECLEVEL 3 with ED448 key, TLSv1.2", + server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", + "Certificate" => test_pem("server-ed448-cert.pem"), + "PrivateKey" => test_pem("server-ed448-key.pem"), + "MaxProtocol" => "TLSv1.2" }, + client => { }, + test => { "ExpectedResult" => "Success" }, + }, + { + name => "SECLEVEL 3 with P-384 key, X25519 ECDHE", + server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", + "Certificate" => test_pem("p384-server-cert.pem"), + "PrivateKey" => test_pem("p384-server-key.pem"), + "Groups" => "X25519" }, + client => { "CipherString" => "ECDHE:\@SECLEVEL=3", + "VerifyCAFile" => test_pem("p384-root.pem") }, + test => { "ExpectedResult" => "Success" }, + }, +); -- 2.25.1