From dbc6268f68e50b2e49d7c5b1157b4f6bcea5d6f9 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 13 Jun 2019 11:06:12 +0100 Subject: [PATCH] Allow TLSv1.3 in a no-ec build Now that we have TLSv1.3 FFDHE support there is no reason why we should not allow TLSv1.3 to be used in a no-ec build. This commit enables that to happen. It also fixes no-ec which was previously broken. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/9156) --- Configure | 3 +- ssl/s3_lib.c | 6 +- ssl/ssl_lib.c | 3 +- ssl/ssl_locl.h | 14 +-- ssl/statem/extensions.c | 11 +- ssl/statem/extensions_clnt.c | 48 ++++++-- ssl/statem/extensions_srvr.c | 6 +- ssl/statem/statem_lib.c | 4 +- ssl/statem/statem_locl.h | 5 +- ssl/t1_lib.c | 178 +++++++++++++++------------ test/recipes/70-test_clienthello.t | 4 + test/recipes/70-test_key_share.t | 92 +++++++++++--- test/recipes/70-test_sslextension.t | 5 +- test/recipes/70-test_tls13cookie.t | 18 ++- test/recipes/70-test_tls13hrr.t | 12 +- test/recipes/70-test_tls13kexmodes.t | 3 + test/recipes/70-test_tls13messages.t | 3 + test/recipes/70-test_tls13psk.t | 12 +- test/recipes/80-test_ssl_new.t | 2 +- test/recipes/90-test_gost.t | 4 + test/ssl-tests/protocol_version.pm | 2 +- test/sslapitest.c | 64 ++++++---- test/tls13ccstest.c | 5 + 23 files changed, 329 insertions(+), 175 deletions(-) diff --git a/Configure b/Configure index 69a06d6062..90e97a1bb7 100755 --- a/Configure +++ b/Configure @@ -482,7 +482,7 @@ my @disable_cascades = ( "ssl3-method" => [ "ssl3" ], "zlib" => [ "zlib-dynamic" ], "des" => [ "mdc2" ], - "ec" => [ "ecdsa", "ecdh" ], + "ec" => [ "ecdsa", "ecdh", "sm2" ], "dgram" => [ "dtls", "sctp" ], "sock" => [ "dgram" ], @@ -526,7 +526,6 @@ my @disable_cascades = ( "apps" => [ "tests" ], "tests" => [ "external-tests" ], "comp" => [ "zlib" ], - "ec" => [ "tls1_3", "sm2" ], "sm3" => [ "sm2" ], sub { !$disabled{"unit-test"} } => [ "heartbeats" ], diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 358142e935..2e041d5887 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3578,7 +3578,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } return ssl_cert_set_current(s->cert, larg); -#ifndef OPENSSL_NO_EC case SSL_CTRL_GET_GROUPS: { uint16_t *clist; @@ -3623,7 +3622,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) } return id; } -#endif + case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(s->cert, parg, larg, 0); @@ -3899,7 +3898,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) break; #endif -#ifndef OPENSSL_NO_EC case SSL_CTRL_SET_GROUPS: return tls1_set_groups(&ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, @@ -3909,7 +3907,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) return tls1_set_groups_list(&ctx->ext.supportedgroups, &ctx->ext.supportedgroups_len, parg); -#endif + case SSL_CTRL_SET_SIGALGS: return tls1_set_sigalgs(ctx->cert, parg, larg, 0); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index cf79ac50af..4e4477d2e1 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -780,6 +780,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->ext.ecpointformats_len = ctx->ext.ecpointformats_len; } +#endif if (ctx->ext.supportedgroups) { s->ext.supportedgroups = OPENSSL_memdup(ctx->ext.supportedgroups, @@ -789,7 +790,7 @@ SSL *SSL_new(SSL_CTX *ctx) goto err; s->ext.supportedgroups_len = ctx->ext.supportedgroups_len; } -#endif + #ifndef OPENSSL_NO_NEXTPROTONEG s->ext.npn = NULL; #endif diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 0e661d00d7..e521152da3 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -959,9 +959,10 @@ struct ssl_ctx_st { /* EC extension values inherited by SSL structure */ size_t ecpointformats_len; unsigned char *ecpointformats; +# endif /* OPENSSL_NO_EC */ + size_t supportedgroups_len; uint16_t *supportedgroups; -# endif /* OPENSSL_NO_EC */ /* * ALPN information (we are in the process of transitioning from NPN to @@ -2525,8 +2526,6 @@ __owur int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); -# ifndef OPENSSL_NO_EC - __owur const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t curve_id); __owur int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_curves); __owur uint16_t tls1_shared_group(SSL *s, int nmatch); @@ -2534,15 +2533,16 @@ __owur int tls1_set_groups(uint16_t **pext, size_t *pextlen, int *curves, size_t ncurves); __owur int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str); -void tls1_get_formatlist(SSL *s, const unsigned char **pformats, - size_t *num_formats); -__owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id); __owur EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id); __owur int tls_valid_group(SSL *s, uint16_t group_id, int version); __owur EVP_PKEY *ssl_generate_param_group(uint16_t id); +# ifndef OPENSSL_NO_EC +void tls1_get_formatlist(SSL *s, const unsigned char **pformats, + size_t *num_formats); +__owur int tls1_check_ec_tmp_key(SSL *s, unsigned long id); # endif /* OPENSSL_NO_EC */ -__owur int tls_curve_allowed(SSL *s, uint16_t curve, int op); +__owur int tls_group_allowed(SSL *s, uint16_t curve, int op); void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, size_t *pgroupslen); diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 2e51aab4af..9023e47599 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -46,9 +46,7 @@ static int init_etm(SSL *s, unsigned int context); static int init_ems(SSL *s, unsigned int context); static int final_ems(SSL *s, unsigned int context, int sent); static int init_psk_kex_modes(SSL *s, unsigned int context); -#ifndef OPENSSL_NO_EC static int final_key_share(SSL *s, unsigned int context, int sent); -#endif #ifndef OPENSSL_NO_SRTP static int init_srtp(SSL *s, unsigned int context); #endif @@ -162,6 +160,10 @@ static const EXTENSION_DEFINITION ext_defs[] = { tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, final_ec_pt_formats }, +#else + INVALID_EXTENSION, +#endif +#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) { /* * "supported_groups" is spread across several specifications. @@ -197,7 +199,6 @@ static const EXTENSION_DEFINITION ext_defs[] = { }, #else INVALID_EXTENSION, - INVALID_EXTENSION, #endif { TLSEXT_TYPE_session_ticket, @@ -322,7 +323,6 @@ static const EXTENSION_DEFINITION ext_defs[] = { init_psk_kex_modes, tls_parse_ctos_psk_kex_modes, NULL, NULL, tls_construct_ctos_psk_kex_modes, NULL }, -#ifndef OPENSSL_NO_EC { /* * Must be in this list after supported_groups. We need that to have @@ -336,7 +336,6 @@ static const EXTENSION_DEFINITION ext_defs[] = { tls_construct_stoc_key_share, tls_construct_ctos_key_share, final_key_share }, -#endif { /* Must be after key_share */ TLSEXT_TYPE_cookie, @@ -1266,7 +1265,6 @@ static int final_sig_algs(SSL *s, unsigned int context, int sent) return 1; } -#ifndef OPENSSL_NO_EC static int final_key_share(SSL *s, unsigned int context, int sent) { if (!SSL_IS_TLS13(s)) @@ -1429,7 +1427,6 @@ static int final_key_share(SSL *s, unsigned int context, int sent) return 1; } -#endif static int init_psk_kex_modes(SSL *s, unsigned int context) { diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index a29b7c021a..b12361f36a 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -113,11 +113,13 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, #endif #ifndef OPENSSL_NO_EC -static int use_ecc(SSL *s) +static int use_ecc(SSL *s, int max_version) { int i, end, ret = 0; unsigned long alg_k, alg_a; STACK_OF(SSL_CIPHER) *cipher_stack = NULL; + const uint16_t *pgroups = NULL; + size_t num_groups, j; /* See if we support any ECC ciphersuites */ if (s->version == SSL3_VERSION) @@ -137,9 +139,21 @@ static int use_ecc(SSL *s) break; } } - sk_SSL_CIPHER_free(cipher_stack); - return ret; + if (!ret) + return 0; + + /* Check we have at least one EC supported group */ + tls1_get_supported_groups(s, &pgroups, &num_groups); + for (j = 0; j < num_groups; j++) { + uint16_t ctmp = pgroups[j]; + + if (tls_valid_group(s, ctmp, max_version) + && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) + return 1; + } + + return 0; } EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, @@ -148,8 +162,15 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, { const unsigned char *pformats; size_t num_formats; + int reason, min_version, max_version; - if (!use_ecc(s)) + reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); + if (reason != 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, + SSL_F_TLS_CONSTRUCT_CTOS_EC_PT_FORMATS, reason); + return EXT_RETURN_FAIL; + } + if (!use_ecc(s, max_version)) return EXT_RETURN_NOT_SENT; /* Add TLS extension ECPointFormats to the ClientHello message */ @@ -167,7 +188,9 @@ EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, return EXT_RETURN_SENT; } +#endif +#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC) EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -176,9 +199,6 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, size_t num_groups = 0, i; int min_version, max_version, reason; - if (!use_ecc(s)) - return EXT_RETURN_NOT_SENT; - reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL); if (reason != 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, @@ -186,6 +206,14 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, return EXT_RETURN_FAIL; } +#if defined(OPENSSL_NO_EC) + if (max_version < TLS1_3_VERSION) + return EXT_RETURN_NOT_SENT; +#else + if (!use_ecc(s, max_version) && max_version < TLS1_3_VERSION) + return EXT_RETURN_NOT_SENT; +#endif + /* * Add TLS extension supported_groups to the ClientHello message */ @@ -206,7 +234,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, uint16_t ctmp = pgroups[i]; if (tls_valid_group(s, ctmp, max_version) - && tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { + && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) { if (!WPACKET_put_bytes_u16(pkt, ctmp)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS, @@ -683,7 +711,7 @@ EXT_RETURN tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, } else { for (i = 0; i < num_groups; i++) { - if (!tls_curve_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) + if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) continue; curve_id = pgroups[i]; @@ -1843,7 +1871,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x, break; } if (i >= num_groups - || !tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) { + || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE); return 0; diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 37f5819346..6181f3f268 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -946,7 +946,7 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x, return 1; } -#ifndef OPENSSL_NO_EC +#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { @@ -1400,7 +1400,7 @@ EXT_RETURN tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, } #endif -#ifndef OPENSSL_NO_EC +#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) @@ -1425,7 +1425,7 @@ EXT_RETURN tls_construct_stoc_supported_groups(SSL *s, WPACKET *pkt, uint16_t group = groups[i]; if (tls_valid_group(s, group, SSL_version(s)) - && tls_curve_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { + && tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) { if (first) { /* * Check if the client is already using our preferred group. If diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index e6d2478dcb..292f99c88f 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -2137,7 +2137,6 @@ int ssl_set_client_hello_version(SSL *s) * used. Returns 1 if the group is in the list (and allowed if |checkallow| is * 1) or 0 otherwise. */ -#ifndef OPENSSL_NO_EC int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, size_t num_groups, int checkallow) { @@ -2151,14 +2150,13 @@ int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, if (group_id == group && (!checkallow - || tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { + || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { return 1; } } return 0; } -#endif /* Replace ClientHello1 in the transcript hash with a synthetic message */ int create_synthetic_message_hash(SSL *s, const unsigned char *hashval, diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_locl.h index 8f27deb9c5..f4242fa2a4 100644 --- a/ssl/statem/statem_locl.h +++ b/ssl/statem/statem_locl.h @@ -199,9 +199,9 @@ int tls_parse_ctos_early_data(SSL *s, PACKET *pkt, unsigned int context, #ifndef OPENSSL_NO_EC int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); +#endif int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidxl); -#endif int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx); int tls_parse_ctos_sig_algs_cert(SSL *s, PACKET *pkt, unsigned int context, @@ -314,10 +314,11 @@ EXT_RETURN tls_construct_ctos_srp(SSL *s, WPACKET *pkt, unsigned int context, X5 EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); +#endif EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); -#endif + EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 52e6d5426a..373f1c58d6 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -128,12 +128,11 @@ int tls1_clear(SSL *s) return 1; } -#ifndef OPENSSL_NO_EC - /* - * Table of curve information. + * Table of group information. */ static const TLS_GROUP_INFO nid_list[] = { +#ifndef OPENSSL_NO_EC {NID_sect163k1, 80, TLS_GROUP_CURVE_CHAR2, 0x0001}, /* sect163k1 (1) */ {NID_sect163r1, 80, TLS_GROUP_CURVE_CHAR2, 0x0002}, /* sect163r1 (2) */ {NID_sect163r2, 80, TLS_GROUP_CURVE_CHAR2, 0x0003}, /* sect163r2 (3) */ @@ -164,38 +163,49 @@ static const TLS_GROUP_INFO nid_list[] = { {NID_brainpoolP512r1, 256, TLS_GROUP_CURVE_PRIME, 0x001C}, /* brainpool512r1 (28) */ {EVP_PKEY_X25519, 128, TLS_GROUP_CURVE_CUSTOM, 0x001D}, /* X25519 (29) */ {EVP_PKEY_X448, 224, TLS_GROUP_CURVE_CUSTOM, 0x001E}, /* X448 (30) */ +#endif /* OPENSSL_NO_EC */ +#ifndef OPENSSL_NO_DH /* Security bit values for FFDHE groups are updated as per RFC 7919 */ {NID_ffdhe2048, 103, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0100}, /* ffdhe2048 (0x0100) */ {NID_ffdhe3072, 125, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0101}, /* ffdhe3072 (0x0101) */ {NID_ffdhe4096, 150, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0102}, /* ffdhe4096 (0x0102) */ {NID_ffdhe6144, 175, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0103}, /* ffdhe6144 (0x0103) */ {NID_ffdhe8192, 192, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0104}, /* ffdhe8192 (0x0104) */ +#endif /* OPENSSL_NO_DH */ }; +#ifndef OPENSSL_NO_EC static const unsigned char ecformats_default[] = { TLSEXT_ECPOINTFORMAT_uncompressed, TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime, TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 }; +#endif /* The default curves */ static const uint16_t supported_groups_default[] = { +#ifndef OPENSSL_NO_EC 29, /* X25519 (29) */ 23, /* secp256r1 (23) */ 30, /* X448 (30) */ 25, /* secp521r1 (25) */ 24, /* secp384r1 (24) */ +#endif +#ifndef OPENSSL_NO_DH 0x100, /* ffdhe2048 (0x100) */ 0x101, /* ffdhe3072 (0x101) */ 0x102, /* ffdhe4096 (0x102) */ 0x103, /* ffdhe6144 (0x103) */ 0x104, /* ffdhe8192 (0x104) */ +#endif }; +#ifndef OPENSSL_NO_EC static const uint16_t suiteb_curves[] = { TLSEXT_curve_P_256, TLSEXT_curve_P_384 }; +#endif const TLS_GROUP_INFO *tls1_group_id_lookup(uint16_t group_id) { @@ -230,6 +240,7 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, /* For Suite B mode only include P-256, P-384 */ switch (tls1_suiteb(s)) { +#ifndef OPENSSL_NO_EC case SSL_CERT_FLAG_SUITEB_128_LOS: *pgroups = suiteb_curves; *pgroupslen = OSSL_NELEM(suiteb_curves); @@ -244,6 +255,7 @@ void tls1_get_supported_groups(SSL *s, const uint16_t **pgroups, *pgroups = suiteb_curves + 1; *pgroupslen = 1; break; +#endif default: if (s->ext.supportedgroups == NULL) { @@ -268,25 +280,25 @@ int tls_valid_group(SSL *s, uint16_t group_id, int version) return 1; } -/* See if curve is allowed by security callback */ -int tls_curve_allowed(SSL *s, uint16_t curve, int op) +/* See if group is allowed by security callback */ +int tls_group_allowed(SSL *s, uint16_t group, int op) { - const TLS_GROUP_INFO *cinfo = tls1_group_id_lookup(curve); - unsigned char ctmp[2]; + const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(group); + unsigned char gtmp[2]; - if (cinfo == NULL) + if (ginfo == NULL) return 0; -# ifdef OPENSSL_NO_EC2M - if (cinfo->flags & TLS_GROUP_CURVE_CHAR2) +#ifdef OPENSSL_NO_EC2M + if (ginfo->flags & TLS_GROUP_CURVE_CHAR2) return 0; -# endif -# ifdef OPENSSL_NO_DH - if (cinfo->flags & TLS_GROUP_FFDHE) +#endif +#ifdef OPENSSL_NO_DH + if (ginfo->flags & TLS_GROUP_FFDHE) return 0; -# endif - ctmp[0] = curve >> 8; - ctmp[1] = curve & 0xff; - return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); +#endif + gtmp[0] = group >> 8; + gtmp[1] = group & 0xff; + return ssl_security(s, op, ginfo->secbits, ginfo->nid, (void *)gtmp); } /* Return 1 if "id" is in "list" */ @@ -349,7 +361,7 @@ uint16_t tls1_shared_group(SSL *s, int nmatch) uint16_t id = pref[i]; if (!tls1_in_list(id, supp, num_supp) - || !tls_curve_allowed(s, id, SSL_SECOP_CURVE_SHARED)) + || !tls_group_allowed(s, id, SSL_SECOP_CURVE_SHARED)) continue; if (nmatch == k) return id; @@ -404,28 +416,30 @@ err: return 0; } -# define MAX_CURVELIST OSSL_NELEM(nid_list) +#define MAX_GROUPLIST OSSL_NELEM(nid_list) typedef struct { size_t nidcnt; - int nid_arr[MAX_CURVELIST]; + int nid_arr[MAX_GROUPLIST]; } nid_cb_st; static int nid_cb(const char *elem, int len, void *arg) { nid_cb_st *narg = arg; size_t i; - int nid; + int nid = NID_undef; char etmp[20]; if (elem == NULL) return 0; - if (narg->nidcnt == MAX_CURVELIST) + if (narg->nidcnt == MAX_GROUPLIST) return 0; if (len > (int)(sizeof(etmp) - 1)) return 0; memcpy(etmp, elem, len); etmp[len] = 0; +#ifndef OPENSSL_NO_EC nid = EC_curve_nist2nid(etmp); +#endif if (nid == NID_undef) nid = OBJ_sn2nid(etmp); if (nid == NID_undef) @@ -450,64 +464,6 @@ int tls1_set_groups_list(uint16_t **pext, size_t *pextlen, const char *str) return 1; return tls1_set_groups(pext, pextlen, ncb.nid_arr, ncb.nidcnt); } -/* Return group id of a key */ -static uint16_t tls1_get_group_id(EVP_PKEY *pkey) -{ - EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); - const EC_GROUP *grp; - - if (ec == NULL) - return 0; - grp = EC_KEY_get0_group(ec); - return tls1_nid2group_id(EC_GROUP_get_curve_name(grp)); -} - -/* Check a key is compatible with compression extension */ -static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) -{ - const EC_KEY *ec; - const EC_GROUP *grp; - unsigned char comp_id; - size_t i; - - /* If not an EC key nothing to check */ - if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) - return 1; - ec = EVP_PKEY_get0_EC_KEY(pkey); - grp = EC_KEY_get0_group(ec); - - /* Get required compression id */ - if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { - comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; - } else if (SSL_IS_TLS13(s)) { - /* - * ec_point_formats extension is not used in TLSv1.3 so we ignore - * this check. - */ - return 1; - } else { - int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp)); - - if (field_type == NID_X9_62_prime_field) - comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; - else if (field_type == NID_X9_62_characteristic_two_field) - comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - else - return 0; - } - /* - * If point formats extension present check it, otherwise everything is - * supported (see RFC4492). - */ - if (s->session->ext.ecpointformats == NULL) - return 1; - - for (i = 0; i < s->session->ext.ecpointformats_len; i++) { - if (s->session->ext.ecpointformats[i] == comp_id) - return 1; - } - return 0; -} /* Check a group id matches preferences */ int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) @@ -541,7 +497,7 @@ int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) return 0; } - if (!tls_curve_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) + if (!tls_group_allowed(s, group_id, SSL_SECOP_CURVE_CHECK)) return 0; /* For clients, nothing more to check */ @@ -562,6 +518,7 @@ int tls1_check_group_id(SSL *s, uint16_t group_id, int check_own_groups) return tls1_in_list(group_id, groups, groups_len); } +#ifndef OPENSSL_NO_EC void tls1_get_formatlist(SSL *s, const unsigned char **pformats, size_t *num_formats) { @@ -581,6 +538,65 @@ void tls1_get_formatlist(SSL *s, const unsigned char **pformats, } } +/* Check a key is compatible with compression extension */ +static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey) +{ + const EC_KEY *ec; + const EC_GROUP *grp; + unsigned char comp_id; + size_t i; + + /* If not an EC key nothing to check */ + if (EVP_PKEY_id(pkey) != EVP_PKEY_EC) + return 1; + ec = EVP_PKEY_get0_EC_KEY(pkey); + grp = EC_KEY_get0_group(ec); + + /* Get required compression id */ + if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) { + comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; + } else if (SSL_IS_TLS13(s)) { + /* + * ec_point_formats extension is not used in TLSv1.3 so we ignore + * this check. + */ + return 1; + } else { + int field_type = EC_METHOD_get_field_type(EC_GROUP_method_of(grp)); + + if (field_type == NID_X9_62_prime_field) + comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; + else if (field_type == NID_X9_62_characteristic_two_field) + comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; + else + return 0; + } + /* + * If point formats extension present check it, otherwise everything is + * supported (see RFC4492). + */ + if (s->session->ext.ecpointformats == NULL) + return 1; + + for (i = 0; i < s->session->ext.ecpointformats_len; i++) { + if (s->session->ext.ecpointformats[i] == comp_id) + return 1; + } + return 0; +} + +/* Return group id of a key */ +static uint16_t tls1_get_group_id(EVP_PKEY *pkey) +{ + EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); + const EC_GROUP *grp; + + if (ec == NULL) + return 0; + grp = EC_KEY_get0_group(ec); + return tls1_nid2group_id(EC_GROUP_get_curve_name(grp)); +} + /* * Check cert parameters compatible with extensions: currently just checks EC * certificates have compatible curves and compression. diff --git a/test/recipes/70-test_clienthello.t b/test/recipes/70-test_clienthello.t index a6b812aa26..0ccbc8ef56 100644 --- a/test/recipes/70-test_clienthello.t +++ b/test/recipes/70-test_clienthello.t @@ -15,6 +15,10 @@ setup("test_clienthello"); plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); +#No EC with TLSv1.3 confuses the padding calculations in this test +plan skip_all => "No EC with TLSv1.3 is not supported by this test" + if disabled("ec") && !disabled("tls1_3"); + plan tests => 1; ok(run(test(["clienthellotest", srctop_file("test", "session.pem")])), diff --git a/test/recipes/70-test_key_share.t b/test/recipes/70-test_key_share.t index eeec0554e3..b5b01907c6 100644 --- a/test/recipes/70-test_key_share.t +++ b/test/recipes/70-test_key_share.t @@ -36,7 +36,9 @@ use constant { use constant { X25519 => 0x1d, - P_256 => 0x17 + P_256 => 0x17, + FFDHE2048 => 0x0100, + FFDHE3072 => 0x0101 }; my $testtype; @@ -74,7 +76,11 @@ my $proxy = TLSProxy::Proxy->new( $testtype = EMPTY_EXTENSION; $direction = CLIENT_TO_SERVER; $proxy->filter(\&modify_key_shares_filter); -$proxy->serverflags("-curves P-256"); +if (disabled("ec")) { + $proxy->serverflags("-groups ffdhe3072"); +} else { + $proxy->serverflags("-groups P-256"); +} $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 22; ok(TLSProxy::Message->success(), "Success after HRR"); @@ -95,31 +101,52 @@ ok(TLSProxy::Message->fail(), "Missing key_shares extension"); # HelloRetryRequest $proxy->clear(); $proxy->filter(undef); -$proxy->serverflags("-curves P-256"); +if (disabled("ec")) { + $proxy->serverflags("-groups ffdhe3072"); +} else { + $proxy->serverflags("-groups P-256"); +} $proxy->start(); ok(TLSProxy::Message->success(), "No initial acceptable key_shares"); #Test 5: No acceptable key_shares and no shared groups should fail $proxy->clear(); $proxy->filter(undef); -$proxy->serverflags("-curves P-256"); -$proxy->clientflags("-curves P-384"); +if (disabled("ec")) { + $proxy->serverflags("-groups ffdhe2048"); +} else { + $proxy->serverflags("-groups P-256"); +} +if (disabled("ec")) { + $proxy->clientflags("-groups ffdhe3072"); +} else { + $proxy->clientflags("-groups P-384"); +} $proxy->start(); ok(TLSProxy::Message->fail(), "No acceptable key_shares"); #Test 6: A non preferred but acceptable key_share should succeed $proxy->clear(); $proxy->clientflags("-curves P-256"); +if (disabled("ec")) { + $proxy->clientflags("-groups ffdhe3072"); +} else { + $proxy->clientflags("-groups P-256"); +} $proxy->start(); ok(TLSProxy::Message->success(), "Non preferred key_share"); $proxy->filter(\&modify_key_shares_filter); -#Test 7: An acceptable key_share after a list of non-acceptable ones should -#succeed -$proxy->clear(); -$testtype = ACCEPTABLE_AT_END; -$proxy->start(); -ok(TLSProxy::Message->success(), "Acceptable key_share at end of list"); +SKIP: { + skip "No ec support in this OpenSSL build", 1 if disabled("ec"); + + #Test 7: An acceptable key_share after a list of non-acceptable ones should + #succeed + $proxy->clear(); + $testtype = ACCEPTABLE_AT_END; + $proxy->start(); + ok(TLSProxy::Message->success(), "Acceptable key_share at end of list"); +} #Test 8: An acceptable key_share but for a group not in supported_groups should #fail @@ -156,22 +183,45 @@ ok(TLSProxy::Message->fail(), "key_share list trailing data"); $proxy->clear(); $direction = SERVER_TO_CLIENT; $testtype = LOOK_ONLY; -$proxy->clientflags("-curves P-256:X25519"); +$selectedgroupid = 0; +if (disabled("ec")) { + $proxy->clientflags("-groups ffdhe3072:ffdhe2048"); +} else { + $proxy->clientflags("-groups P-256:X25519"); +} $proxy->start(); -ok(TLSProxy::Message->success() && ($selectedgroupid == P_256), - "Multiple acceptable key_shares"); +if (disabled("ec")) { + ok(TLSProxy::Message->success() && ($selectedgroupid == FFDHE3072), + "Multiple acceptable key_shares"); +} else { + ok(TLSProxy::Message->success() && ($selectedgroupid == P_256), + "Multiple acceptable key_shares"); +} #Test 14: Multiple acceptable key_shares - we choose the first one (part 2) $proxy->clear(); -$proxy->clientflags("-curves X25519:P-256"); +if (disabled("ec")) { + $proxy->clientflags("-curves ffdhe2048:ffdhe3072"); +} else { + $proxy->clientflags("-curves X25519:P-256"); +} $proxy->start(); -ok(TLSProxy::Message->success() && ($selectedgroupid == X25519), - "Multiple acceptable key_shares (part 2)"); +if (disabled("ec")) { + ok(TLSProxy::Message->success() && ($selectedgroupid == FFDHE2048), + "Multiple acceptable key_shares (part 2)"); +} else { + ok(TLSProxy::Message->success() && ($selectedgroupid == X25519), + "Multiple acceptable key_shares (part 2)"); +} #Test 15: Server sends key_share that wasn't offered should fail $proxy->clear(); $testtype = SELECT_X25519; -$proxy->clientflags("-curves P-256"); +if (disabled("ec")) { + $proxy->clientflags("-groups ffdhe3072"); +} else { + $proxy->clientflags("-groups P-256"); +} $proxy->start(); ok(TLSProxy::Message->fail(), "Non offered key_share"); @@ -229,7 +279,11 @@ SKIP: { $proxy->clear(); $direction = SERVER_TO_CLIENT; $testtype = NO_KEY_SHARES_IN_HRR; -$proxy->serverflags("-curves X25519"); +if (disabled("ec")) { + $proxy->serverflags("-groups ffdhe2048"); +} else { + $proxy->serverflags("-groups X25519"); +} $proxy->start(); ok(TLSProxy::Message->fail(), "Server sends HRR with no key_shares"); diff --git a/test/recipes/70-test_sslextension.t b/test/recipes/70-test_sslextension.t index e725b44f9c..93d7f47bf2 100644 --- a/test/recipes/70-test_sslextension.t +++ b/test/recipes/70-test_sslextension.t @@ -217,7 +217,10 @@ SKIP: { $proxy->clientflags("-no_tls1_3 -noservername"); $proxy->start(); ok($fatal_alert, "Unsolicited server name extension"); - +} +SKIP: { + skip "TLS <= 1.2 disabled or EC disabled", 1 + if $no_below_tls13 || disabled("ec"); #Test 5: Inject a noncompliant supported_groups extension (<= TLSv1.2) $proxy->clear(); $proxy->filter(\&inject_unsolicited_extension); diff --git a/test/recipes/70-test_tls13cookie.t b/test/recipes/70-test_tls13cookie.t index 3f324e3a01..aef2cf8848 100644 --- a/test/recipes/70-test_tls13cookie.t +++ b/test/recipes/70-test_tls13cookie.t @@ -46,17 +46,27 @@ my $testtype; #Test 1: Inserting a cookie into an HRR should see it echoed in the ClientHello $testtype = COOKIE_ONLY; $proxy->filter(\&cookie_filter); -$proxy->serverflags("-curves X25519"); +$proxy->serverflags("-curves X25519") if !disabled("ec"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 2; -ok(TLSProxy::Message->success() && $cookieseen == 1, "Cookie seen"); +SKIP: { + skip "EC disabled", 1, if disabled("ec"); + ok(TLSProxy::Message->success() && $cookieseen == 1, "Cookie seen"); +} + + #Test 2: Same as test 1 but should also work where a new key_share is also # required $testtype = COOKIE_AND_KEY_SHARE; $proxy->clear(); -$proxy->clientflags("-curves P-256:X25519"); -$proxy->serverflags("-curves X25519"); +if (disabled("ec")) { + $proxy->clientflags("-curves ffdhe3072:ffdhe2048"); + $proxy->serverflags("-curves ffdhe2048"); +} else { + $proxy->clientflags("-curves P-256:X25519"); + $proxy->serverflags("-curves X25519"); +} $proxy->start(); ok(TLSProxy::Message->success() && $cookieseen == 1, "Cookie seen"); diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t index 44ca041313..8f6e54e235 100644 --- a/test/recipes/70-test_tls13hrr.t +++ b/test/recipes/70-test_tls13hrr.t @@ -43,7 +43,11 @@ use constant { #Test 1: A client should fail if the server changes the ciphersuite between the # HRR and the SH $proxy->filter(\&hrr_filter); -$proxy->serverflags("-curves P-256"); +if (disabled("ec")) { + $proxy->serverflags("-curves ffdhe3072"); +} else { + $proxy->serverflags("-curves P-256"); +} my $testtype = CHANGE_HRR_CIPHERSUITE; $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; plan tests => 2; @@ -52,7 +56,11 @@ ok(TLSProxy::Message->fail(), "Server ciphersuite changes"); #Test 2: It is an error if the client changes the offered ciphersuites so that # we end up selecting a different ciphersuite between HRR and the SH $proxy->clear(); -$proxy->serverflags("-curves P-256"); +if (disabled("ec")) { + $proxy->serverflags("-curves ffdhe3072"); +} else { + $proxy->serverflags("-curves P-256"); +} $proxy->ciphersuitess("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"); $testtype = CHANGE_CH1_CIPHERSUITE; $proxy->start(); diff --git a/test/recipes/70-test_tls13kexmodes.t b/test/recipes/70-test_tls13kexmodes.t index 36506011c9..069d6149dd 100644 --- a/test/recipes/70-test_tls13kexmodes.t +++ b/test/recipes/70-test_tls13kexmodes.t @@ -28,6 +28,9 @@ plan skip_all => "$test_name needs the sock feature enabled" plan skip_all => "$test_name needs TLSv1.3 enabled" if disabled("tls1_3"); +plan skip_all => "$test_name needs EC enabled" + if disabled("ec"); + $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); diff --git a/test/recipes/70-test_tls13messages.t b/test/recipes/70-test_tls13messages.t index e961528c7c..a3fc35e438 100644 --- a/test/recipes/70-test_tls13messages.t +++ b/test/recipes/70-test_tls13messages.t @@ -28,6 +28,9 @@ plan skip_all => "$test_name needs the sock feature enabled" plan skip_all => "$test_name needs TLSv1.3 enabled" if disabled("tls1_3"); +plan skip_all => "$test_name needs EC enabled" + if disabled("ec"); + $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf"); diff --git a/test/recipes/70-test_tls13psk.t b/test/recipes/70-test_tls13psk.t index 40e6ed105b..11031f3f44 100644 --- a/test/recipes/70-test_tls13psk.t +++ b/test/recipes/70-test_tls13psk.t @@ -66,7 +66,11 @@ ok(TLSProxy::Message->fail(), "PSK not last"); # ciphersuite. Should see PSK on second ClientHello $proxy->clear(); $proxy->clientflags("-sess_in ".$session); -$proxy->serverflags("-curves P-256"); +if (disabled("ec")) { + $proxy->serverflags("-curves ffdhe3072"); +} else { + $proxy->serverflags("-curves P-256"); +} $proxy->filter(undef); $proxy->start(); #Check if the PSK is present in the second ClientHello @@ -81,7 +85,11 @@ ok($pskseen, "PSK hash matches"); $proxy->clear(); $proxy->clientflags("-sess_in ".$session); $proxy->filter(\&modify_psk_filter); -$proxy->serverflags("-curves P-256"); +if (disabled("ec")) { + $proxy->serverflags("-curves ffdhe3072"); +} else { + $proxy->serverflags("-curves P-256"); +} $proxy->ciphersuitesc("TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384"); $proxy->ciphersuitess("TLS_AES_256_GCM_SHA384"); #We force an early failure because TLS Proxy doesn't actually support diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t index 31c4399dc3..04a0c13394 100644 --- a/test/recipes/80-test_ssl_new.t +++ b/test/recipes/80-test_ssl_new.t @@ -59,7 +59,7 @@ my %conf_dependent_tests = ( || !disabled("sctp"), "05-sni.conf" => disabled("tls1_1"), "07-dtls-protocol-version.conf" => !$is_default_dtls || !disabled("sctp"), - "10-resumption.conf" => !$is_default_tls, + "10-resumption.conf" => !$is_default_tls || $no_ec, "11-dtls_resumption.conf" => !$is_default_dtls || !disabled("sctp"), "16-dtls-certstatus.conf" => !$is_default_dtls || !disabled("sctp"), "17-renegotiate.conf" => disabled("tls1_2"), diff --git a/test/recipes/90-test_gost.t b/test/recipes/90-test_gost.t index d4f27b8909..b01243fa62 100644 --- a/test/recipes/90-test_gost.t +++ b/test/recipes/90-test_gost.t @@ -21,6 +21,10 @@ plan skip_all => "GOST support is disabled in this OpenSSL build" plan skip_all => "TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build" if disabled("tls1_3") || disabled("tls1_2"); +plan skip_all => "EC is disabled in this OpenSSL build" + if disabled("ec"); + + plan skip_all => "No test GOST engine found" if !$ENV{OPENSSL_GOST_ENGINE_SO}; diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm index 6c2e7789b6..6923e2120a 100644 --- a/test/ssl-tests/protocol_version.pm +++ b/test/ssl-tests/protocol_version.pm @@ -252,7 +252,7 @@ sub generate_resumption_tests { "client" => { }, "server" => { - "Curves" => "P-256" + "Curves" => disabled("ec") ? "ffdhe3072" : "P-256" }, "resume_client" => { }, diff --git a/test/sslapitest.c b/test/sslapitest.c index efa42a0dc8..9a993f7c63 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -2960,8 +2960,13 @@ static int early_data_skip_helper(int testtype, int idx) if (testtype == 1 || testtype == 2) { /* Force an HRR to occur */ +#if defined(OPENSSL_NO_EC) + if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072"))) + goto end; +#else if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) goto end; +#endif } else if (idx == 2) { /* * We force early_data rejection by ensuring the PSK identity is @@ -3738,8 +3743,8 @@ static int test_ciphersuite_change(void) /* * Test TLSv1.3 Key exchange * Test 0 = Test ECDHE Key exchange - * Test 1 = Test FFDHE Key exchange - * Test 2 = Test ECDHE with TLSv1.2 client and TLSv1.2 server + * Test 1 = Test ECDHE with TLSv1.2 client and TLSv1.2 server + * Test 2 = Test FFDHE Key exchange * Test 3 = Test FFDHE with TLSv1.2 client and TLSv1.2 server */ static int test_tls13_key_exchange(int idx) @@ -3747,8 +3752,10 @@ static int test_tls13_key_exchange(int idx) SSL_CTX *sctx = NULL, *cctx = NULL; SSL *serverssl = NULL, *clientssl = NULL; int testresult = 0; +#ifndef OPENSSL_NO_EC int ecdhe_kexch_groups[] = {NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1, NID_X25519, NID_X448}; +#endif #ifndef OPENSSL_NO_DH int ffdhe_kexch_groups[] = {NID_ffdhe2048, NID_ffdhe3072, NID_ffdhe4096, NID_ffdhe6144, NID_ffdhe8192}; @@ -3761,32 +3768,22 @@ static int test_tls13_key_exchange(int idx) int expected_err_reason = 0; switch (idx) { - case 0: - kexch_groups = ecdhe_kexch_groups; - kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups); - break; #ifndef OPENSSL_NO_DH - case 1: + case 3: + max_version = TLS1_2_VERSION; + /* Fall through */ + case 2: kexch_groups = ffdhe_kexch_groups; kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups); break; #endif - case 2: +#ifndef OPENSSL_NO_EC + case 1: + max_version = TLS1_2_VERSION; + /* Fall through */ + case 0: kexch_groups = ecdhe_kexch_groups; kexch_groups_size = OSSL_NELEM(ecdhe_kexch_groups); - max_version = TLS1_2_VERSION; - expected_err_func = SSL_F_TLS_POST_PROCESS_CLIENT_HELLO; - expected_err_reason = SSL_R_NO_SHARED_CIPHER; - want_err = SSL_ERROR_SSL; - break; -#ifndef OPENSSL_NO_DH - case 3: - kexch_groups = ffdhe_kexch_groups; - kexch_groups_size = OSSL_NELEM(ffdhe_kexch_groups); - max_version = TLS1_2_VERSION; - want_err = SSL_ERROR_SSL; - expected_err_func = SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS; - expected_err_reason = ERR_R_INTERNAL_ERROR; break; #endif default: @@ -3805,10 +3802,16 @@ static int test_tls13_key_exchange(int idx) if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, TLS1_3_RFC_AES_128_GCM_SHA256))) goto end; - if (!TEST_true(SSL_CTX_set_cipher_list(sctx, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM))) + if (!TEST_true(SSL_CTX_set_cipher_list(sctx, TLS1_TXT_RSA_WITH_AES_128_SHA))) goto end; - if (!TEST_true(SSL_CTX_set_cipher_list(cctx, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM))) + /* + * Must include an EC ciphersuite so that we send supported groups in + * TLSv1.2 + */ + if (!TEST_true(SSL_CTX_set_cipher_list(cctx, + TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM ":" + TLS1_TXT_RSA_WITH_AES_128_SHA))) goto end; if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, @@ -3828,14 +3831,20 @@ static int test_tls13_key_exchange(int idx) /* Fail if expected error is not happening for failure testcases */ if (expected_err_func) { unsigned long err_code = ERR_get_error(); + ERR_print_errors_fp(stdout); if (TEST_int_eq(ERR_GET_FUNC(err_code), expected_err_func) && TEST_int_eq(ERR_GET_REASON(err_code), expected_err_reason)) testresult = 1; goto end; } - /* If Handshake succeeds the negotiated kexch alg should the first one in configured */ - if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0), kexch_groups[0])) + /* + * If Handshake succeeds the negotiated kexch alg should the first one in + * configured, except in the case of FFDHE groups which are TLSv1.3 only + * so we expect no shared group to exist. + */ + if (!TEST_int_eq(SSL_get_shared_group(serverssl, 0), + idx == 3 ? 0 : kexch_groups[0])) goto end; testresult = 1; @@ -3990,8 +3999,13 @@ static int test_tls13_psk(int idx) goto end; /* Force an HRR */ +#if defined(OPENSSL_NO_EC) + if (!TEST_true(SSL_set1_groups_list(serverssl, "ffdhe3072"))) + goto end; +#else if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) goto end; +#endif /* * Check we can create a connection, the PSK is used and the callbacks are diff --git a/test/tls13ccstest.c b/test/tls13ccstest.c index d89354c142..d0bc43a8fa 100644 --- a/test/tls13ccstest.c +++ b/test/tls13ccstest.c @@ -315,8 +315,13 @@ static int test_tls13ccs(int tst) if ((tst >= 3 && tst <= 5) || tst >= 9) { /* HRR handshake */ +#if defined(OPENSSL_NO_EC) + if (!TEST_true(SSL_CTX_set1_groups_list(sctx, "ffdhe3072"))) + goto err; +#else if (!TEST_true(SSL_CTX_set1_groups_list(sctx, "P-256"))) goto err; +#endif } s_to_c_fbio = BIO_new(bio_f_watchccs_filter()); -- 2.25.1