Fix no-ec and no-tls1_2

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7620)

6 files changed, 58 insertions, 36 deletions

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index e9c5c5cf80..70e5a1740f 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2572,7 +2572,9 @@ __owur int tls1_process_sigalgs(SSL *s);
 __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
 __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
 __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
+#  ifndef OPENSSL_NO_EC
 __owur int tls_check_sigalg_curve(const SSL *s, int curve);
+#  endif
 __owur int tls12_check_peer_sigalg(SSL *s, uint16_t, EVP_PKEY *pkey);
 __owur int ssl_set_client_disabled(SSL *s);
 __owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op, int echde);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 95c22062ba..4324896f50 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1506,8 +1506,11 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
  */
 static int is_tls13_capable(const SSL *s)
 {
-    int i, curve;
+    int i;
+#ifndef OPENSSL_NO_EC
+    int curve;
     EC_KEY *eckey;
+#endif
 
 #ifndef OPENSSL_NO_PSK
     if (s->psk_server_callback != NULL)
@@ -1530,6 +1533,7 @@ static int is_tls13_capable(const SSL *s)
         }
         if (!ssl_has_cert(s, i))
             continue;
+#ifndef OPENSSL_NO_EC
         if (i != SSL_PKEY_ECC)
             return 1;
         /*
@@ -1543,6 +1547,9 @@ static int is_tls13_capable(const SSL *s)
         curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
         if (tls_check_sigalg_curve(s, curve))
             return 1;
+#else
+        return 1;
+#endif
     }
 
     return 0;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index fe13a39c38..3415c6335f 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -949,6 +949,7 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs)
     }
 }
 
+#ifndef OPENSSL_NO_EC
 /*
  * Called by servers only. Checks that we have a sig alg that supports the
  * specified EC curve.
@@ -979,6 +980,7 @@ int tls_check_sigalg_curve(const SSL *s, int curve)
 
     return 0;
 }
+#endif
 
 /*
  * Check signature algorithm is consistent with sent supported signature
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index da8302d206..db2271c388 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -69,6 +69,7 @@ my %conf_dependent_tests = (
   "22-compression.conf" => !$is_default_tls,
   "25-cipher.conf" => disabled("poly1305") || disabled("chacha"),
   "27-ticket-appdata.conf" => !$is_default_tls,
+  "28-seclevel.conf" => disabled("tls1_2") || $no_ec,
 );
 
 # Add your test here if it should be skipped for some compile-time
diff --git a/test/ssl-tests/28-seclevel.conf b/test/ssl-tests/28-seclevel.conf
index ddc2448f85..f863f68b08 100644
--- a/test/ssl-tests/28-seclevel.conf
+++ b/test/ssl-tests/28-seclevel.conf
@@ -4,8 +4,8 @@ num_tests = 4
 
 test-0 = 0-SECLEVEL 3 with default key
 test-1 = 1-SECLEVEL 3 with ED448 key
-test-2 = 2-SECLEVEL 3 with ED448 key, TLSv1.2
-test-3 = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE
+test-2 = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE
+test-3 = 3-SECLEVEL 3 with ED448 key, TLSv1.2
 # ===========================================================
 
 [0-SECLEVEL 3 with default key]
@@ -54,22 +54,22 @@ ExpectedResult = Success
 
 # ===========================================================
 
-[2-SECLEVEL 3 with ED448 key, TLSv1.2]
-ssl_conf = 2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE]
+ssl_conf = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl
 
-[2-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
-server = 2-SECLEVEL 3 with ED448 key, TLSv1.2-server
-client = 2-SECLEVEL 3 with ED448 key, TLSv1.2-client
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
+server = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
+client = 2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client
 
-[2-SECLEVEL 3 with ED448 key, TLSv1.2-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
 CipherString = DEFAULT:@SECLEVEL=3
-MaxProtocol = TLSv1.2
-PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
+Groups = X25519
+PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
 
-[2-SECLEVEL 3 with ED448 key, TLSv1.2-client]
-CipherString = DEFAULT
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+[2-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
+CipherString = ECDHE:@SECLEVEL=3
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
 VerifyMode = Peer
 
 [test-2]
@@ -78,22 +78,22 @@ ExpectedResult = Success
 
 # ===========================================================
 
-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE]
-ssl_conf = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl
+[3-SECLEVEL 3 with ED448 key, TLSv1.2]
+ssl_conf = 3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl
 
-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-ssl]
-server = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server
-client = 3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client
+[3-SECLEVEL 3 with ED448 key, TLSv1.2-ssl]
+server = 3-SECLEVEL 3 with ED448 key, TLSv1.2-server
+client = 3-SECLEVEL 3 with ED448 key, TLSv1.2-client
 
-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-server]
-Certificate = ${ENV::TEST_CERTS_DIR}/p384-server-cert.pem
+[3-SECLEVEL 3 with ED448 key, TLSv1.2-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/server-ed448-cert.pem
 CipherString = DEFAULT:@SECLEVEL=3
-Groups = X25519
-PrivateKey = ${ENV::TEST_CERTS_DIR}/p384-server-key.pem
+MaxProtocol = TLSv1.2
+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem
 
-[3-SECLEVEL 3 with P-384 key, X25519 ECDHE-client]
-CipherString = ECDHE:@SECLEVEL=3
-VerifyCAFile = ${ENV::TEST_CERTS_DIR}/p384-root.pem
+[3-SECLEVEL 3 with ED448 key, TLSv1.2-client]
+CipherString = DEFAULT
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
 [test-3]
diff --git a/test/ssl-tests/28-seclevel.conf.in b/test/ssl-tests/28-seclevel.conf.in
index 5a1ee4638f..9f85a955e1 100644
--- a/test/ssl-tests/28-seclevel.conf.in
+++ b/test/ssl-tests/28-seclevel.conf.in
@@ -10,6 +10,7 @@
 ## SSL test configurations
 
 package ssltests;
+use OpenSSL::Test::Utils;
 
 our @tests = (
     {
@@ -18,6 +19,9 @@ our @tests = (
         client => { },
         test   => { "ExpectedResult" => "ServerFail" },
     },
+);
+
+our @tests_ec = (
     {
         name => "SECLEVEL 3 with ED448 key",
         server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
@@ -27,15 +31,6 @@ our @tests = (
         test   => { "ExpectedResult" => "Success" },
     },
     {
-        name => "SECLEVEL 3 with ED448 key, TLSv1.2",
-        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
-                    "Certificate" => test_pem("server-ed448-cert.pem"),
-                    "PrivateKey" => test_pem("server-ed448-key.pem"),
-                    "MaxProtocol" => "TLSv1.2" },
-        client => { },
-        test   => { "ExpectedResult" => "Success" },
-    },
-    {
         name => "SECLEVEL 3 with P-384 key, X25519 ECDHE",
         server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
                     "Certificate" => test_pem("p384-server-cert.pem"),
@@ -46,3 +41,18 @@ our @tests = (
         test   => { "ExpectedResult" => "Success" },
     },
 );
+
+our @tests_tls1_2 = (
+    {
+        name => "SECLEVEL 3 with ED448 key, TLSv1.2",
+        server => { "CipherString" => "DEFAULT:\@SECLEVEL=3",
+                    "Certificate" => test_pem("server-ed448-cert.pem"),
+                    "PrivateKey" => test_pem("server-ed448-key.pem"),
+                    "MaxProtocol" => "TLSv1.2" },
+        client => { },
+        test   => { "ExpectedResult" => "Success" },
+    },
+);
+
+push @tests, @tests_ec unless disabled("ec");
+push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");