The branch OpenSSL_1_1_1-stable has been updated via d1a8201e88f0a5d46731010bb442f0f207c74fe9 (commit) via 987f66d1d7b1ef3576101a56b78f52d3f0e77c07 (commit) from ce50fd96dc542fe22a42265019e556272fd060ba (commit)
- Log ----------------------------------------------------------------- commit d1a8201e88f0a5d46731010bb442f0f207c74fe9 Author: Pauli <pa...@openssl.org> Date: Sat Jun 19 16:17:38 2021 +1000 test: add test for auto DH security level meets the minimum Manual merge from https://github.com/openssl/openssl/pull/15818 Commit id d0e5230dcecc6013d351545ceb275aa2ba5baa80 Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15832) commit 987f66d1d7b1ef3576101a56b78f52d3f0e77c07 Author: Pauli <pa...@openssl.org> Date: Sat Jun 19 16:16:36 2021 +1000 ssl: do not choose auto DH groups that are weaker than the security level manual merge from https://github.com/openssl/openssl/pull/15818 id d7b5c648d682b499b71320a03747602a6ba4dec3 Reviewed-by: Tomas Mraz <to...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15832) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_cert.c | 33 ++++++++++++++++++++++++--------- ssl/ssl_local.h | 1 + ssl/t1_lib.c | 9 ++++++++- test/recipes/80-test_ssl_old.t | 12 ++++++++++-- 4 files changed, 43 insertions(+), 12 deletions(-) diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 5d3e83f328..c102473864 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -876,18 +876,36 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) return 1; } +int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp) +{ + int level; + static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 }; + + if (ctx != NULL) + level = SSL_CTX_get_security_level(ctx); + else + level = SSL_get_security_level(s); + + if (level > 5) + level = 5; + else if (level < 0) + level = 0; + + if (levelp != NULL) + *levelp = level; + + return minbits_table[level]; +} + static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex) { int level, minbits; - static const int minbits_table[5] = { 80, 112, 128, 192, 256 }; - if (ctx) - level = SSL_CTX_get_security_level(ctx); - else - level = SSL_get_security_level(s); - if (level <= 0) { + minbits = ssl_get_security_level_bits(s, ctx, &level); + + if (level == 0) { /* * No EDH keys weaker than 1024-bits even at level 0, otherwise, * anything goes. @@ -896,9 +914,6 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, return 0; return 1; } - if (level > 5) - level = 5; - minbits = minbits_table[level - 1]; switch (op) { case SSL_SECOP_CIPHER_SUPPORTED: case SSL_SECOP_CIPHER_SHARED: diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index a357d4d950..f92472117a 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2305,6 +2305,7 @@ __owur int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, __owur int ssl_security(const SSL *s, int op, int bits, int nid, void *other); __owur int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other); +int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp); __owur int ssl_cert_lookup_by_nid(int nid, size_t *pidx); __owur const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 48d46f8a48..93228ec183 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2441,7 +2441,8 @@ DH *ssl_get_auto_dh(SSL *s) { DH *dhp = NULL; BIGNUM *p = NULL, *g = NULL; - int dh_secbits = 80; + int dh_secbits = 80, sec_level_bits; + if (s->cert->dh_tmp_auto != 2) { if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) { if (s->s3->tmp.new_cipher->strength_bits == 256) @@ -2464,6 +2465,12 @@ DH *ssl_get_auto_dh(SSL *s) BN_free(g); return NULL; } + + /* Do not pick a prime that is too weak for the current security level */ + sec_level_bits = ssl_get_security_level_bits(s, NULL, NULL); + if (dh_secbits < sec_level_bits) + dh_secbits = sec_level_bits; + if (dh_secbits >= 192) p = BN_get_rfc3526_prime_8192(NULL); else if (dh_secbits >= 152) diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 377bf090ba..35cf0a7af8 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -476,10 +476,10 @@ sub testssl { subtest 'RSA/(EC)DHE/PSK tests' => sub { ###################################################################### - plan tests => 5; + plan tests => 6; SKIP: { - skip "TLSv1.0 is not supported by this OpenSSL build", 5 + skip "TLSv1.0 is not supported by this OpenSSL build", 6 if $no_tls1; SKIP: { @@ -514,6 +514,14 @@ sub testssl { ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123"])), 'test tls1 with PSK via BIO pair'); } + + SKIP: { + skip "skipping auto PSK tests", 1 + if ($no_dh || $no_psk || $no_ec); + + ok(run(test(['ssltest_old', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])), + 'test auto DH meets security strength'); + } } };