root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Unbreak SECLEVEL 3 regression causing it to not accept any ciphers. 

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #7391
(cherry picked from commit 75b68c9e4e)
This commit is contained in:
Tomas Mraz 2018-10-12 17:24:14 +02:00 committed by Kurt Roeckx
parent 98f62979b2
commit e37b7014f3
4 changed files with 153 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ssl/ssl_cert.c
View File

@ -951,8 +951,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
if (level >= 2 && c->algorithm_enc == SSL_RC4) if (level >= 2 && c->algorithm_enc == SSL_RC4)
return 0; return 0;
/* Level 3: forward secure ciphersuites only */ /* Level 3: forward secure ciphersuites only */
if (level >= 3 && (c->min_tls != TLS1_3_VERSION || if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
!(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))) !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
return 0; return 0;
break; break;
} }

2
test/recipes/80-test_ssl_new.t
View File

@ -28,7 +28,7 @@ map { s/\^// } @conf_files if $^O eq "VMS";
# We hard-code the number of tests to double-check that the globbing above # We hard-code the number of tests to double-check that the globbing above
# finds all files as expected. # finds all files as expected.
plan tests => 27; # = scalar @conf_srcs plan tests => 28; # = scalar @conf_srcs
# Some test results depend on the configuration of enabled protocols. We only # Some test results depend on the configuration of enabled protocols. We only
# verify generated sources in the default configuration. # verify generated sources in the default configuration.

102
test/ssl-tests/28-seclevel.conf Normal file
View File

@ -0,0 +1,102 @@
# Generated with generate_ssl_tests.pl
num_tests = 4
test-0 = 0-SECLEVEL 3 with default key
test-1 = 1-SECLEVEL 3 with ED448 key
test-2 = 2-SECLEVEL 3 with ED448 key, TLSv1.2
test-3 = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE
# ===========================================================
[0-SECLEVEL 3 with default key]
ssl_conf = 0-SECLEVEL 3 with default key-ssl
[0-SECLEVEL 3 with default key-ssl]
server = 0-SECLEVEL 3 with default key-server
client = 0-SECLEVEL 3 with default key-client
[0-SECLEVEL 3 with default key-server]
Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
CipherString = DEFAULT:@SECLEVEL=3
PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
[0-SECLEVEL 3 with default key-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-0]
ExpectedResult = ServerFail
# ===========================================================
[1-SECLEVEL 3 with ED448 key]
ssl_conf = 1-SECLEVEL 3 with ED448 key-ssl
[1-SECLEVEL 3 with ED448 key-ssl]
server = 1-SECLEVEL 3 with ED448 key-server
client = 1-SECLEVEL 3 with ED448 key-client
[1-SECLEVEL 3 with ED448 key-server]
Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
CipherString = DEFAULT:@SECLEVEL=3
PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
[1-SECLEVEL 3 with ED448 key-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-1]
ExpectedResult = Success
# ===========================================================
[2-SECLEVEL 3 with ED448 key, TLSv1.2]
ssl_conf = 2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl
[2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
server = 2-SECLEVEL 3 with ED448 key, TLSv1.2-server
client = 2-SECLEVEL 3 with ED448 key, TLSv1.2-client
[2-SECLEVEL 3 with ED448 key, TLSv1.2-server]
Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
CipherString = DEFAULT:@SECLEVEL=3
MaxProtocol = TLSv1.2
PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
[2-SECLEVEL 3 with ED448 key, TLSv1.2-client]
CipherString = DEFAULT
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[test-2]
ExpectedResult = Success
# ===========================================================
[3-SECLEVEL 3 with P-384 key, X25519 ECDHE]
ssl_conf = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl
[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
server = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
client = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client
[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
CipherString = DEFAULT:@SECLEVEL=3
Groups = X25519
PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
CipherString = ECDHE:@SECLEVEL=3
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
VerifyMode = Peer
[test-3]
ExpectedResult = Success

48
test/ssl-tests/28-seclevel.conf.in Normal file
View File

@ -0,0 +1,48 @@
# -*- mode: perl; -*-
# Copyright 2016-2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
## SSL test configurations
package ssltests;
our @tests = (
{
name => "SECLEVEL 3 with default key",
server => { "CipherString" => "DEFAULT:\@SECLEVEL=3" },
client => { },
test => { "ExpectedResult" => "ServerFail" },
},
{
name => "SECLEVEL 3 with ED448 key",
server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
"Certificate" => test_pem("server-ed448-cert.pem"),
"PrivateKey" => test_pem("server-ed448-key.pem") },
client => { },
test => { "ExpectedResult" => "Success" },
},
{
name => "SECLEVEL 3 with ED448 key, TLSv1.2",
server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
"Certificate" => test_pem("server-ed448-cert.pem"),
"PrivateKey" => test_pem("server-ed448-key.pem"),
"MaxProtocol" => "TLSv1.2" },
client => { },
test => { "ExpectedResult" => "Success" },
},
{
name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
"Certificate" => test_pem("p384-server-cert.pem"),
"PrivateKey" => test_pem("p384-server-key.pem"),
"Groups" => "X25519" },
client => { "CipherString" => "ECDHE:\@SECLEVEL=3",
"VerifyCAFile" => test_pem("p384-root.pem") },
test => { "ExpectedResult" => "Success" },
},
);