-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permit (EC)DHEPSK KEX on SECLEVEL3 #17759
Conversation
Should this go to 1.1.1 as well? |
@@ -1020,6 +1020,8 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, | |||
case SSL_SECOP_CIPHER_CHECK: | |||
{ | |||
const SSL_CIPHER *c = other; | |||
int pfs_mask = SSL_kEDH | SSL_kEECDH | SSL_kECDHEPSK | SSL_kDHEPSK; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: This PR could be a good candidate to also consistently use SSL_kDHE
instead of SSL_kEDH
in our codebase, and the same goes for SSL_kECDHE
over SSL_kEECDH
.
We already have them defined as respective aliases, and even in the OTC we were not entirely sure about the meaning of the less usual aliases used here.
Lines 165 to 172 in a044af4
/* tmp DH key no DH cert */ | |
# define SSL_kDHE 0x00000002U | |
/* synonym */ | |
# define SSL_kEDH SSL_kDHE | |
/* ephemeral ECDH */ | |
# define SSL_kECDHE 0x00000004U | |
/* synonym */ | |
# define SSL_kEECDH SSL_kECDHE |
@@ -1034,7 +1036,7 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx, | |||
return 0; | |||
/* Level 3: forward secure ciphersuites only */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I think it might be more readable to have L1023 initialize pfs_mask
as zero, and set it to SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK
here, so one can immediately verify what the check is doing.
|
||
ok(run(test(['ssl_old_test', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES128-CCM'])), | ||
'test auto DH meets security strength'); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Without specifying
-tls1_2
or earlier, this test is not really covering the new code: if I understand this recipe correctly, the default is equivalent to-tls1_3
if nothing is specified. We should explicitly test for-tls1_2
, not sure about previous versions. - Maybe we could add also negative tests here: testing that the RSA PSK ciphers are not accepted at SECLEVEL=3.
- Also maybe we should fill the gap and add tests to also cover the
SSL_kDHE
andSSL_kECDHE
in TLS < 1.3
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mattcaswell you are more familiar with these tests than I am, can you check what I commented here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without specifying -tls1_2 or earlier, this test is not really covering the new code: if I understand this recipe correctly, the default is equivalent to -tls1_3 if nothing is specified. We should explicitly test for -tls1_2, not sure about previous versions.
Yes - this is correct. Good catch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Too good catch - it doesn't work :)
I think during the call there was consensus about considering #17743 as a bug, which would make it eligible for backport to 1.1.1. |
@beldmit @mattcaswell I opened #17763 as an alternative to this: I started working on this yesterday but run out of time preparing the tests commit. Hopefully it should fix the CI errors. |
I see the same test failures as in my PR :( |
I don't think there is a need to discuss this on the OTC call. If it is a bug fix, it can go back to 1.1.1. If it isn't a bug fix it can't go into 3.0. Since it's going into 3.0, it's a bug fix. |
Resolves: #17743
Checklist