const char *str);
__owur EVP_PKEY *ssl_generate_pkey_group(SSL_CONNECTION *s, uint16_t id);
__owur int tls_valid_group(SSL_CONNECTION *s, uint16_t group_id, int minversion,
- int maxversion, int isec, int *okfortls13);
+ int maxversion, int *okfortls13, const TLS_GROUP_INFO **giptr);
__owur EVP_PKEY *ssl_generate_param_group(SSL_CONNECTION *s, uint16_t id);
void tls1_get_formatlist(SSL_CONNECTION *s, const unsigned char **pformats,
size_t *num_formats);
#include "../ssl_local.h"
#include "internal/cryptlib.h"
#include "internal/ssl_unwrap.h"
+#include "internal/tlsgroups.h"
#include "statem_local.h"
+/* Used in the negotiate_dhe function */
+typedef enum {
+ ffdhe_check,
+ ecdhe_check,
+ ptfmt_check
+} dhe_check_t;
+
EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx)
}
#endif
-static int use_ecc(SSL_CONNECTION *s, int min_version, int max_version)
+/*
+ * With (D)TLS < 1.3 the only negotiated supported key exchange groups are
+ * FFDHE (RFC7919) and ECDHE/ECX (RFC8422 + legacy). With (D)TLS 1.3, we add
+ * KEMs, and the supported groups are no longer cipher-dependent.
+ *
+ * This function serves two purposes:
+ *
+ * - To determine whether to send the supported point formats extension.
+ * This is no longer applicable with (D)TLS >= 1.3.
+ * - To determine whether to send the supported groups extension.
+ *
+ * In the former case, we only care about whether both ECC ciphers and EC/ECX
+ * supported groups are configured, and the (D)TLS min version is at most 1.2.
+ *
+ * In the latter case, we also admit DHE ciphers with FFDHE groups, or any TLS
+ * 1.3 cipher, since the extension is effectively mandatory for (D)TLS 1.3,
+ * with the sole exception of psk-ke resumption, provided the client is sure
+ * that the server will not want elect a full handshake. The check type then
+ * indicates whether ECDHE or FFDHE negotiation should be performed.
+ */
+static int negotiate_dhe(SSL_CONNECTION *s, dhe_check_t check_type,
+ int min_version, int max_version)
{
int i, end, ret = 0;
- unsigned long alg_k, alg_a;
STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
const uint16_t *pgroups = NULL;
size_t num_groups, j;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
+ int dtls = SSL_CONNECTION_IS_DTLS(s);
+ /* See if we support any EC or FFDHE ciphersuites */
cipher_stack = SSL_get1_supported_ciphers(ssl);
end = sk_SSL_CIPHER_num(cipher_stack);
for (i = 0; i < end; i++) {
const SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
-
- alg_k = c->algorithm_mkey;
- alg_a = c->algorithm_auth;
- if ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
- || (alg_a & SSL_aECDSA)
- || c->min_tls >= TLS1_3_VERSION) {
+ unsigned long alg_k = c->algorithm_mkey;
+ unsigned long alg_a = c->algorithm_auth;
+
+ int is_ffdhe_ciphersuite = (alg_k & (SSL_kDHE | SSL_kDHEPSK));
+ int is_ec_ciphersuite = ((alg_k & (SSL_kECDHE | SSL_kECDHEPSK))
+ || (alg_a & SSL_aECDSA));
+ int is_tls13 = (dtls ? DTLS_VERSION_GT(c->min_dtls, DTLS1_2_VERSION)
+ : (c->min_tls > TLS1_2_VERSION));
+
+ if ((check_type == ffdhe_check && (is_ffdhe_ciphersuite || is_tls13))
+ || (check_type == ecdhe_check && (is_ec_ciphersuite || is_tls13))
+ || (check_type == ptfmt_check && is_ec_ciphersuite)) {
ret = 1;
break;
}
}
sk_SSL_CIPHER_free(cipher_stack);
- if (!ret)
+ if (ret == 0)
return 0;
- /* Check we have at least one EC supported group */
+ /* Check we have at least one EC or FFDHE supported group */
tls1_get_supported_groups(s, &pgroups, &num_groups);
for (j = 0; j < num_groups; j++) {
uint16_t ctmp = pgroups[j];
+ const TLS_GROUP_INFO *ginfo = NULL;
+
+ if (!tls_valid_group(s, ctmp, min_version, max_version, NULL, &ginfo))
+ continue;
- if (tls_valid_group(s, ctmp, min_version, max_version, 1, NULL)
+ if (check_type == ffdhe_check && is_ffdhe_group(ginfo->group_id)
&& tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
return 1;
- }
+ if (check_type != ffdhe_check && is_ecdhe_group(ginfo->group_id)
+ && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
+ return 1;
+ }
return 0;
}
SSLfatal(s, SSL_AD_INTERNAL_ERROR, reason);
return EXT_RETURN_FAIL;
}
- if (!use_ecc(s, min_version, max_version))
+ if (!negotiate_dhe(s, ptfmt_check, min_version, max_version))
return EXT_RETURN_NOT_SENT;
- /* Add TLS extension ECPointFormats to the ClientHello message */
tls1_get_formatlist(s, &pformats, &num_formats);
+ if (num_formats == 0)
+ return EXT_RETURN_NOT_SENT;
+ /* Add TLS extension ECPointFormats to the ClientHello message */
if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_ec_point_formats)
/* Sub-packet for formats extension */
|| !WPACKET_start_sub_packet_u16(pkt)
const uint16_t *pgroups = NULL;
size_t num_groups = 0, i, tls13added = 0, added = 0;
int min_version, max_version, reason;
+ int dtls = SSL_CONNECTION_IS_DTLS(s);
+ int use_ecdhe, use_ffdhe;
reason = ssl_get_min_max_version(s, &min_version, &max_version, NULL);
if (reason != 0) {
}
/*
- * We only support EC groups in TLSv1.2 or below, and in DTLS. Therefore
- * if we don't have EC support then we don't send this extension.
+ * If we don't support suitable groups, don't send the extension
*/
- if (!use_ecc(s, min_version, max_version)
- && (SSL_CONNECTION_IS_DTLS(s) || max_version < TLS1_3_VERSION))
+ use_ecdhe = negotiate_dhe(s, ecdhe_check, min_version, max_version);
+ use_ffdhe = negotiate_dhe(s, ffdhe_check, min_version, max_version);
+ if (!use_ecdhe && !use_ffdhe
+ && (dtls ? DTLS_VERSION_LE(max_version, DTLS1_2_VERSION)
+ : (max_version <= TLS1_2_VERSION)))
return EXT_RETURN_NOT_SENT;
/*
}
/* Copy group ID if supported */
for (i = 0; i < num_groups; i++) {
+ const TLS_GROUP_INFO *ginfo = NULL;
uint16_t ctmp = pgroups[i];
int okfortls13;
- if (tls_valid_group(s, ctmp, min_version, max_version, 0, &okfortls13)
- && tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED)) {
- if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
- return EXT_RETURN_FAIL;
- }
- if (okfortls13 && max_version == TLS1_3_VERSION)
- tls13added++;
- added++;
+ if (!tls_valid_group(s, ctmp, min_version, max_version, &okfortls13,
+ &ginfo)
+ || (!use_ecdhe && is_ecdhe_group(ginfo->group_id))
+ || (!use_ffdhe && is_ffdhe_group(ginfo->group_id))
+ /* Note: SSL_SECOP_CURVE_SUPPORTED covers all key exchange groups */
+ || !tls_group_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
+ continue;
+
+ if (!WPACKET_put_bytes_u16(pkt, ctmp)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+ return EXT_RETURN_FAIL;
}
+ if (okfortls13 && max_version == TLS1_3_VERSION)
+ tls13added++;
+ added++;
}
if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
if (added == 0)
if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
continue;
if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION,
- 0, NULL))
+ NULL, NULL))
continue;
group_id = pgroups[i];
if (i >= num_groups
|| !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
|| !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
- 0, NULL)) {
+ NULL, NULL)) {
SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
return 0;
}
if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1, NULL)
|| !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
|| !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
- 0, NULL)) {
+ NULL, NULL)) {
/* Share not suitable or not supported, check next share */
continue;
}
|| !tls_group_allowed(s, candidate_groups[current_group],
SSL_SECOP_CURVE_SUPPORTED)
|| !tls_valid_group(s, candidate_groups[current_group], TLS1_3_VERSION,
- TLS1_3_VERSION, 0, NULL))
+ TLS1_3_VERSION, NULL, NULL))
/* No overlap or group not suitable, check next group */
continue;
for (i = 0; i < numgroups; i++) {
uint16_t group = groups[i];
- if (tls_valid_group(s, group, version, version, 0, NULL)
+ if (tls_valid_group(s, group, version, version, NULL, NULL)
&& tls_group_allowed(s, group, SSL_SECOP_CURVE_SUPPORTED)) {
if (first) {
/*
}
#if !defined(OPENSSL_NO_DEPRECATED_3_0)
if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
- pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(SSL_CONNECTION_GET_USER_SSL(s),
- 0, 1024));
+ pkdh = ssl_dh_to_pkey(
+ s->cert->dh_tmp_cb(SSL_CONNECTION_GET_USER_SSL(s), 0, 1024));
if (pkdh == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
goto err;
}
int tls_valid_group(SSL_CONNECTION *s, uint16_t group_id,
- int minversion, int maxversion,
- int isec, int *okfortls13)
+ int minversion, int maxversion, int *okfortls13,
+ const TLS_GROUP_INFO **giptr)
{
const TLS_GROUP_INFO *ginfo = tls1_group_id_lookup(SSL_CONNECTION_GET_CTX(s),
group_id);
- int ret;
+ int ret = 0;
int group_minversion, group_maxversion;
if (okfortls13 != NULL)
*okfortls13 = 0;
if (ginfo == NULL)
- return 0;
+ goto end;
group_minversion = SSL_CONNECTION_IS_DTLS(s) ? ginfo->mindtls : ginfo->mintls;
group_maxversion = SSL_CONNECTION_IS_DTLS(s) ? ginfo->maxdtls : ginfo->maxtls;
if (group_minversion < 0 || group_maxversion < 0)
- return 0;
+ goto end;
if (group_maxversion == 0)
ret = 1;
else
*okfortls13 = (group_maxversion == 0)
|| (group_maxversion >= TLS1_3_VERSION);
}
- ret &= !isec
- || strcmp(ginfo->algorithm, "EC") == 0
- || strcmp(ginfo->algorithm, "X25519") == 0
- || strcmp(ginfo->algorithm, "X448") == 0;
-
+end:
+ if (giptr != NULL)
+ *giptr = ginfo;
return ret;
}
[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_STATUS_REQUEST,
TLSProxy::Message::CLIENT,
checkhandshake::STATUS_REQUEST_CLI_EXTENSION],
- (disabled("ec") ? () :
+ ((disabled("ec") && disabled("dh")) ? () :
[TLSProxy::Message::MT_CLIENT_HELLO,
TLSProxy::Message::EXT_SUPPORTED_GROUPS,
TLSProxy::Message::CLIENT,
[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
TLSProxy::Message::CLIENT,
checkhandshake::DEFAULT_EXTENSIONS],
- [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
- TLSProxy::Message::CLIENT,
- checkhandshake::DEFAULT_EXTENSIONS],
+ (disabled("tls1_2") ? () :
+ [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+ TLSProxy::Message::CLIENT,
+ checkhandshake::DEFAULT_EXTENSIONS]),
[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
TLSProxy::Message::CLIENT,
checkhandshake::DEFAULT_EXTENSIONS],
[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
TLSProxy::Message::CLIENT,
checkhandshake::DEFAULT_EXTENSIONS],
- [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
- TLSProxy::Message::CLIENT,
- checkhandshake::DEFAULT_EXTENSIONS],
+ (disabled("tls1_2") ? () :
+ [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+ TLSProxy::Message::CLIENT,
+ checkhandshake::DEFAULT_EXTENSIONS]),
[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
TLSProxy::Message::CLIENT,
checkhandshake::DEFAULT_EXTENSIONS],
[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
TLSProxy::Message::CLIENT,
checkhandshake::DEFAULT_EXTENSIONS],
- [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
- TLSProxy::Message::CLIENT,
- checkhandshake::DEFAULT_EXTENSIONS],
+ (disabled("tls1_2") ? () :
+ [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+ TLSProxy::Message::CLIENT,
+ checkhandshake::DEFAULT_EXTENSIONS]),
[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
TLSProxy::Message::CLIENT,
checkhandshake::DEFAULT_EXTENSIONS],
[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SUPPORTED_GROUPS,
TLSProxy::Message::CLIENT,
checkhandshake::DEFAULT_EXTENSIONS],
- [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
- TLSProxy::Message::CLIENT,
- checkhandshake::DEFAULT_EXTENSIONS],
+ (disabled("tls1_2") ? () :
+ [TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_EC_POINT_FORMATS,
+ TLSProxy::Message::CLIENT,
+ checkhandshake::DEFAULT_EXTENSIONS]),
[TLSProxy::Message::MT_CLIENT_HELLO, TLSProxy::Message::EXT_SIG_ALGS,
TLSProxy::Message::CLIENT,
checkhandshake::DEFAULT_EXTENSIONS],
000f - 01 02 04 04 80 0c 00 00-05 04 80 08 00 00 06 ...............
001e - 04 80 08 00 00 07 04 80-08 00 00 08 02 40 64 .............@d
002d - 09 02 40 64 ..@d
- extension_type=ec_point_formats(11), length=2
- uncompressed (0)
extension_type=supported_groups(10), length=18
X25519MLKEM768 (4588)
ecdh_x25519 (29)
000f - 01 02 04 04 80 0c 00 00-05 04 80 08 00 00 06 ...............
001e - 04 80 08 00 00 07 04 80-08 00 00 08 02 40 64 .............@d
002d - 09 02 40 64 ..@d
- extension_type=ec_point_formats(11), length=2
- uncompressed (0)
extension_type=supported_groups(10), length=18
X25519MLKEM768 (4588)
ecdh_x25519 (29)
SKIP: {
skip "skipping dhe512 test", 1
- if ($no_dh);
+ if ($no_dh || $no_ec);
+ # Need some explicit EC groups to suppress default support of
+ # ffdhe2048 and ffdhe3072 in the client hello, which then
+ # overrides the server's DH temp parameters from "-dh512".
+ #
is(run(test([@ssltest,
"-s_cipher", "EDH",
"-c_cipher", 'EDH:@SECLEVEL=1',
+ "-groups", "?P-256:?X25519:?MLKEM512",
"-dhe512",
$protocol])), 0,
"testing connection with weak DH, expecting failure");
compression_methods (len=1)
No Compression (0x00)
extensions, length = ?
- extension_type=ec_point_formats(11), length=4
- uncompressed (0)
- ansiX962_compressed_prime (1)
- ansiX962_compressed_char2 (2)
extension_type=supported_groups(10), length=20
MLKEM512 (512)
MLKEM768 (513)
compression_methods (len=1)
No Compression (0x00)
extensions, length = ?
- extension_type=ec_point_formats(11), length=4
- uncompressed (0)
- ansiX962_compressed_prime (1)
- ansiX962_compressed_char2 (2)
extension_type=supported_groups(10), length=20
MLKEM512 (512)
MLKEM768 (513)
fprintf(stderr,
" -dhe4096 - use 4096 bit key (safe prime) for DHE\n");
#endif
+ fprintf(
+ stderr,
+ " -groups <list> - override the default client supported groups list\n");
fprintf(stderr, " -no_dhe - disable DHE\n");
#ifndef OPENSSL_NO_EC
fprintf(stderr, " -no_ecdhe - disable ECDHE\n");
long bytes = 256L;
#ifndef OPENSSL_NO_DH
EVP_PKEY *dhpkey;
- int dhe512 = 0, dhe1024dsa = 0, dhe4096 = 0;
+ int dhe512 = 0, dhe1024dsa = 0, dhe2048 = 0, dhe4096 = 0;
int no_dhe = 0;
#endif
+ const char *groups = NULL;
int no_psk = 0;
int print_time = 0;
clock_t s_time = 0, c_time = 0;
dhe512 = 1;
else if (strcmp(*argv, "-dhe1024dsa") == 0)
dhe1024dsa = 1;
+ else if (strcmp(*argv, "-dhe2048") == 0)
+ dhe2048 = 1;
else if (strcmp(*argv, "-dhe4096") == 0)
dhe4096 = 1;
#endif
#else
no_psk = 1;
#endif
+ } else if (strcmp(*argv, "-groups") == 0) {
+ if (--argc < 1)
+ goto bad;
+ groups = *(++argv);
} else if (strcmp(*argv, "-tls1_2") == 0) {
tls1_2 = 1;
} else if (strcmp(*argv, "-tls1_1") == 0) {
dhpkey = get_dh1024dsa(libctx);
else if (dhe512)
dhpkey = get_dh512(libctx);
+ else if (dhe2048)
+ dhpkey = get_dh2048(libctx);
else if (dhe4096)
dhpkey = get_dh4096(libctx);
else
EVP_PKEY_free(dhpkey);
}
#endif
+ if (groups != NULL && !SSL_CTX_set1_groups_list(c_ctx, groups)) {
+ BIO_printf(bio_err, "error setting client supported groups to: %s\n",
+ groups);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
if (!(SSL_CTX_load_verify_file(s_ctx, CAfile)
|| SSL_CTX_load_verify_dir(s_ctx, CApath))
char *kexch_name0 = NULL;
const char *kexch_names = NULL;
int shared_group0;
+ const char *client_group_name = NULL;
switch (idx) {
#ifndef OPENSSL_NO_EC
#ifndef OPENSSL_NO_TLS1_2
case 20:
max_version = TLS1_2_VERSION;
- kexch_name0 = "ffdhe2048";
#endif
/* Fall through */
case 6:
#if !defined(OPENSSL_NO_TLS1_2)
case 19:
max_version = TLS1_2_VERSION;
+ kexch_groups = NULL;
#if !defined(OPENSSL_NO_EC)
/* Set at least one EC group so the handshake completes */
kexch_names = "MLKEM512:MLKEM768:MLKEM1024:secp256r1";
+ kexch_name0 = "secp256r1";
+ break;
#elif !defined(OPENSSL_NO_DH)
- kexch_names = "MLKEM512:MLKEM768:MLKEM1024";
+ kexch_names = "MLKEM512:MLKEM768:MLKEM1024:ffdhe2048";
+ kexch_name0 = "ffdhe2048";
+ break;
#else
/* With neither EC nor DH TLS 1.2 can't happen */
return 1;
#endif
#endif
- /* Fall through */
case 12:
kexch_groups = NULL;
if (kexch_names == NULL)
if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
goto end;
+ shared_group0 = SSL_get_shared_group(serverssl, 0);
+ if (kexch_groups != NULL
+ && !TEST_int_eq(shared_group0, kexch_groups[0]))
+ goto end;
+ if (!TEST_str_eq(SSL_group_to_name(serverssl, shared_group0),
+ kexch_name0))
+ goto end;
/*
- * If the handshake succeeds the negotiated kexch alg should be the first
- * one in configured, except in the case of "all" FFDHE and "all" ML-KEM
- * groups (idx == 19, 20), which are TLSv1.3 only so we expect no shared
- * group to exist.
+ * With TLS <= 1.2, the client will not infer an FFDHE group name from
+ * the server's DH parameters, so we allow NULL client names in that
+ * case.
*/
- shared_group0 = SSL_get_shared_group(serverssl, 0);
- switch (idx) {
- case 19:
-#if !defined(OPENSSL_NO_EC)
- /* MLKEM + TLS 1.2 and no DH => "secp526r1" */
- if (!TEST_int_eq(shared_group0, NID_X9_62_prime256v1))
- goto end;
- break;
-#endif
- /* Fall through */
- case 20:
- if (!TEST_int_eq(shared_group0, 0))
- goto end;
- break;
- default:
- if (kexch_groups != NULL
- && !TEST_int_eq(shared_group0, kexch_groups[0]))
- goto end;
- if (!TEST_str_eq(SSL_group_to_name(serverssl, shared_group0),
- kexch_name0))
- goto end;
- if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
- || !TEST_str_eq(SSL_get0_group_name(clientssl), kexch_name0))
- goto end;
- if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), shared_group0))
- goto end;
- if (!TEST_int_eq(SSL_get_negotiated_group(clientssl), shared_group0))
- goto end;
- break;
- }
+ client_group_name = SSL_get0_group_name(clientssl);
+ if (!TEST_str_eq(SSL_get0_group_name(serverssl), kexch_name0)
+ || ((max_version >= TLS1_3_VERSION || client_group_name != NULL)
+ && !TEST_str_eq(client_group_name, kexch_name0)))
+ goto end;
+ if (!TEST_int_eq(SSL_get_negotiated_group(serverssl), shared_group0))
+ goto end;
+ if (client_group_name != NULL
+ && !TEST_int_eq(SSL_get_negotiated_group(clientssl), shared_group0))
+ goto end;
testresult = 1;
end:
kexch_alg = ecdhe_kexch_groups[idx];
else
kexch_alg = ffdhe_kexch_groups[idx];
- /* We expect nothing for the unimplemented TLS 1.2 FFDHE named groups */
- if (!istls13 && !isecdhe)
- expectednid = NID_undef;
- else
- expectednid = kexch_alg;
+ expectednid = kexch_alg;
if (is_fips && (kexch_alg == NID_X25519 || kexch_alg == NID_X448))
return TEST_skip("X25519 and X448 might not be available in fips provider.");
if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
goto end;
- /* Initial handshake; always the configured one */
- if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
- || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
+ /*
+ * Initial handshake; always the configured one. With TLS <= 1.2 and FFDHE
+ * the client does not infer a negotiated group id.
+ */
+ if (!TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid)
+ || ((istls13 || isecdhe)
+ && !TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)))
goto end;
if (!TEST_ptr((origsess = SSL_get1_session(clientssl))))
goto end;
/* Still had better agree, since nothing changed... */
- if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
- || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
+ if (!TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid)
+ || ((istls13 || isecdhe)
+ && !TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)))
goto end;
SSL_shutdown(clientssl);
if (!TEST_int_ne(expectednid, kexch_alg))
goto end;
} else {
- /* TLS 1.2 only supports named groups for ECDHE. */
- if (isecdhe)
- expectednid = kexch_alg;
- else
- expectednid = 0;
+ expectednid = kexch_alg;
}
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL))
goto end;
/* Check that we get what we expected */
- if (!TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)
- || !TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid))
+ if (!TEST_uint_eq(SSL_get_negotiated_group(serverssl), expectednid)
+ || ((istls13 || isecdhe)
+ && !TEST_uint_eq(SSL_get_negotiated_group(clientssl), expectednid)))
goto end;
testresult = 1;
return testresult;
}
-#ifndef OPENSSL_NO_TLS1_3
/*
* Test the server will reject FFDHE ciphersuites if no supported FFDHE group is
* advertised by the client.
return testresult;
}
-#endif /* OPENSSL_NO_TLS1_3 */
#endif /* OPENSSL_NO_DH */
#endif /* OPENSSL_NO_TLS1_2 */
#ifndef OPENSSL_NO_DH
ADD_ALL_TESTS(test_set_tmp_dh, 11);
ADD_ALL_TESTS(test_dh_auto, 7);
-#ifndef OPENSSL_NO_TLS1_3
ADD_ALL_TESTS(test_no_shared_ffdhe_group, 10);
ADD_ALL_TESTS(test_shared_ffdhe_group, 5);
#endif
#endif
-#endif
#ifndef OSSL_NO_USABLE_TLS1_3
ADD_TEST(test_sni_tls13);
ADD_ALL_TESTS(test_ticket_lifetime, 2);
projects / thirdparty / openssl.git / commitdiff
