Fix no-ec and no-tls1_2

Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7620)
2025-03-31 20:10:45 +08:00 · 2018-11-12 14:23:07 +00:00 · 2018-11-12 14:23:07 +00:00 · 65d2c16cbe
commit 65d2c16cbe
parent 2dc37bc2b4
6 changed files with 58 additions and 36 deletions
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@ -2572,7 +2572,9 @@ __owur int tls1_process_sigalgs(SSL *s);
 __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
 __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
 __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
+#  ifndef OPENSSL_NO_EC
 __owur int tls_check_sigalg_curve(const SSL *s, int curve);
+#  endif
 __owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey);
 __owur int ssl_set_client_disabled(SSL *s);
 __owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde);
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@ -1506,8 +1506,11 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
 */
 static int is_tls13_capable(const SSL *s)
 {
-    int i, curve;
+    int i;
+#ifndef OPENSSL_NO_EC
+    int curve;
    EC_KEY *eckey;
+#endif

 #ifndef OPENSSL_NO_PSK
    if (s->psk_server_callback != NULL)
@ -1530,6 +1533,7 @@ static int is_tls13_capable(const SSL *s)
        }
        if (!ssl_has_cert(s, i))
            continue;
+#ifndef OPENSSL_NO_EC
        if (i != SSL_PKEY_ECC)
            return 1;
        /*
@ -1543,6 +1547,9 @@ static int is_tls13_capable(const SSL *s)
        curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
        if (tls_check_sigalg_curve(s, curve))
            return 1;
+#else
+        return 1;
+#endif
    }

    return 0;
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@ -949,6 +949,7 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
    }
 }

+#ifndef OPENSSL_NO_EC
 /*
 * Called by servers only. Checks that we have a sig alg that supports the
 * specified EC curve.
@ -979,6 +980,7 @@ int tls_check_sigalg_curve(const SSL *s, int curve)

    return 0;
 }
+#endif

 /*
 * Check signature algorithm is consistent with sent supported signature
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@ -69,6 +69,7 @@ my %conf_dependent_tests = (
  "22-compression.conf" => !$is_default_tls,
  "25-cipher.conf" => disabled("poly1305") || disabled("chacha"),
  "27-ticket-appdata.conf" => !$is_default_tls,
+  "28-seclevel.conf" => disabled("tls1_2") || $no_ec,
 );

 # Add your test here if it should be skipped for some compile-time
--- a/test/ssl-tests/28-seclevel.conf
+++ b/test/ssl-tests/28-seclevel.conf
@ -4,8 +4,8 @@ num_tests = 4

 test-0 = 0-SECLEVEL 3 with default key
 test-1 = 1-SECLEVEL 3 with ED448 key
-test-2 = 2-SECLEVEL 3 with ED448 key, TLSv1.2
-test-3 = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE
+test-2 = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE
+test-3 = 3-SECLEVEL 3 with ED448 key, TLSv1.2
 # ===========================================================

 [0-SECLEVEL 3 with default key]
@ -54,22 +54,22 @@ ExpectedResult = Success

 # ===========================================================

-[2-SECLEVEL 3 with ED448 key, TLSv1.2]
-ssl_conf = 2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE]
+ssl_conf = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl

-[2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
-server = 2-SECLEVEL 3 with ED448 key, TLSv1.2-server
-client = 2-SECLEVEL 3 with ED448 key, TLSv1.2-client
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
+server = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
+client = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client

-[2-SECLEVEL 3 with ED448 key, TLSv1.2-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
 CipherString = DEFAULT:@SECLEVEL=3
-MaxProtocol = TLSv1.2
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+Groups = X25519
+PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem

-[2-SECLEVEL 3 with ED448 key, TLSv1.2-client]
-CipherString = DEFAULT
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
+CipherString = ECDHE:@SECLEVEL=3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
 VerifyMode = Peer

 [test-2]
@ -78,22 +78,22 @@ ExpectedResult = Success

 # ===========================================================

-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE]
-ssl_conf = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl
+[3-SECLEVEL 3 with ED448 key, TLSv1.2]
+ssl_conf = 3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl

-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
-server = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
-client = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client
+[3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
+server = 3-SECLEVEL 3 with ED448 key, TLSv1.2-server
+client = 3-SECLEVEL 3 with ED448 key, TLSv1.2-client

-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
+[3-SECLEVEL 3 with ED448 key, TLSv1.2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
 CipherString = DEFAULT:@SECLEVEL=3
-Groups = X25519
-PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem

-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
-CipherString = ECDHE:@SECLEVEL=3
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
+[3-SECLEVEL 3 with ED448 key, TLSv1.2-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer

 [test-3]
--- a/test/ssl-tests/28-seclevel.conf.in
+++ b/test/ssl-tests/28-seclevel.conf.in
@ -10,6 +10,7 @@
 ## SSL test configurations

 package ssltests;
+use OpenSSL::Test::Utils;

 our @tests = (
    {
@ -18,6 +19,9 @@ our @tests = (
        client => { },
        test   => { "ExpectedResult" => "ServerFail" },
    },
+);
+
+our @tests_ec = (
    {
        name => "SECLEVEL 3 with ED448 key",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
@ -26,15 +30,6 @@ our @tests = (
        client => { },
        test   => { "ExpectedResult" => "Success" },
    },
-    {
-        name => "SECLEVEL 3 with ED448 key, TLSv1.2",
-        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
-                    "Certificate" => test_pem("server-ed448-cert.pem"),
-                    "PrivateKey" => test_pem("server-ed448-key.pem"),
-                    "MaxProtocol" => "TLSv1.2" },
-        client => { },
-        test   => { "ExpectedResult" => "Success" },
-    },
    {
        name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
@ -46,3 +41,18 @@ our @tests = (
        test   => { "ExpectedResult" => "Success" },
    },
 );
+
+our @tests_tls1_2 = (
+    {
+        name => "SECLEVEL 3 with ED448 key, TLSv1.2",
+        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
+                    "Certificate" => test_pem("server-ed448-cert.pem"),
+                    "PrivateKey" => test_pem("server-ed448-key.pem"),
+                    "MaxProtocol" => "TLSv1.2" },
+        client => { },
+        test   => { "ExpectedResult" => "Success" },
+    },
+);
+
+push @tests, @tests_ec unless disabled("ec");
+push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");