Welcome! Log In Create A New Profile

Advanced

Re: [PATCH 4 of 6] Tests: avoid specifying PSS in sigalgs unless in TLSv1.3

Maxim Dounin
May 22, 2023 09:08PM
Hello!

On Mon, May 22, 2023 at 11:52:16PM +0400, Sergey Kandaurov wrote:

> # HG changeset patch
> # User Sergey Kandaurov <pluknet@nginx.com>
> # Date 1684774417 -14400
> # Mon May 22 20:53:37 2023 +0400
> # Node ID 42066e126d2ca0f6d5095d818910559adf5d4bdc
> # Parent e60c76cbf2a5b0d9e1d235770d68f260cf1a4e3e
> Tests: avoid specifying PSS in sigalgs unless in TLSv1.3.
>
> It might happen that TLSv1.3 is disabled and PSS isn't supported as seen
> on Amazon Linux (LTS). The change restores old logic before 0e1865aa9b33.
>
> diff --git a/ssl_certificates.t b/ssl_certificates.t
> --- a/ssl_certificates.t
> +++ b/ssl_certificates.t
> @@ -120,8 +120,8 @@ sub get_socket {
> return unless defined $type;
> my $ssleay = Net::SSLeay::SSLeay();
> return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
> - my $sigalgs = 'RSA+SHA256:PSS+SHA256';
> - $sigalgs = $type . '+SHA256' unless $type eq 'RSA';
> + my $sigalgs = $type eq 'RSA' && test_tls13()
> + ? 'RSA+SHA256:PSS+SHA256' : $type . '+SHA256';
> # SSL_CTRL_SET_SIGALGS_LIST
> Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)
> or die("Failed to set sigalgs");
> diff --git a/ssl_stapling.t b/ssl_stapling.t
> --- a/ssl_stapling.t
> +++ b/ssl_stapling.t
> @@ -321,8 +321,8 @@ sub staple {
> return unless defined $ciphers;
> my $ssleay = Net::SSLeay::SSLeay();
> return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
> - my $sigalgs = 'RSA+SHA256:PSS+SHA256';
> - $sigalgs = $ciphers . '+SHA256' unless $ciphers eq 'RSA';
> + my $sigalgs = $ciphers eq 'RSA' && test_tls13()
> + ? 'RSA+SHA256:PSS+SHA256' : $ciphers . '+SHA256';
> # SSL_CTRL_SET_SIGALGS_LIST
> Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)
> or die("Failed to set sigalgs");

I would rather refrain from SSL connections as in test_tls13()
when creating an SSL context, hence the change.

But it looks like I was wrong assuming OpenSSL handles sigalgs
similarly to ciphers, and ignores unknown ones. Looking through
the code suggests it instead returns an error if it sees an
unknown signature algorithm, so trying to set
'RSA+SHA256:PSS+SHA256' fails if OpenSSL does not support TLSv1.3.

Something like this should be enough to address this without
introducing additional TLSv1.3 tests:

diff -r a797d7428fa5 ssl_certificates.t
--- a/ssl_certificates.t Thu May 18 18:07:19 2023 +0300
+++ b/ssl_certificates.t Tue May 23 01:03:42 2023 +0000
@@ -120,10 +120,11 @@
return unless defined $type;
my $ssleay = Net::SSLeay::SSLeay();
return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
- my $sigalgs = 'RSA+SHA256:PSS+SHA256';
- $sigalgs = $type . '+SHA256' unless $type eq 'RSA';
+ my @sigalgs = ('RSA+SHA256:PSS+SHA256', 'RSA+SHA256');
+ @sigalgs = ($type . '+SHA256') unless $type eq 'RSA';
# SSL_CTRL_SET_SIGALGS_LIST
- Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)
+ Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[0])
+ or Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[1])
or die("Failed to set sigalgs");
};

diff -r a797d7428fa5 ssl_stapling.t
--- a/ssl_stapling.t Thu May 18 18:07:19 2023 +0300
+++ b/ssl_stapling.t Tue May 23 01:03:42 2023 +0000
@@ -319,10 +319,11 @@
return unless defined $ciphers;
my $ssleay = Net::SSLeay::SSLeay();
return if ($ssleay < 0x1000200f || $ssleay == 0x20000000);
- my $sigalgs = 'RSA+SHA256:PSS+SHA256';
- $sigalgs = $ciphers . '+SHA256' unless $ciphers eq 'RSA';
+ my @sigalgs = ('RSA+SHA256:PSS+SHA256', 'RSA+SHA256');
+ @sigalgs = ($ciphers . '+SHA256') unless $ciphers eq 'RSA';
# SSL_CTRL_SET_SIGALGS_LIST
- Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)
+ Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[0])
+ or Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs[1])
or die("Failed to set sigalgs");
};


(The code basically retries with 'RSA+SHA256' if setting sigalgs
to 'RSA+SHA256:PSS+SHA256'. If an error happens with ECDSA, it
also retries with undefined, and then reports the error.)

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH 00 of 11] SSL tests simplified

Maxim Dounin 691 April 16, 2023 11:46PM

[PATCH 01 of 11] Tests: SIGPIPE handling in mail tests

Maxim Dounin 153 April 16, 2023 11:46PM

[PATCH 03 of 11] Tests: added has_feature() tests for IO::Socket::SSL

Maxim Dounin 153 April 16, 2023 11:46PM

Re: [PATCH 03 of 11] Tests: added has_feature() tests for IO::Socket::SSL

Sergey Kandaurov 157 May 03, 2023 12:22PM

Re: [PATCH 03 of 11] Tests: added has_feature() tests for IO::Socket::SSL

Maxim Dounin 161 May 03, 2023 11:58PM

[PATCH 04 of 11] Tests: fixed server_tokens tests for build names with spaces

Maxim Dounin 220 April 16, 2023 11:46PM

Re: [PATCH 04 of 11] Tests: fixed server_tokens tests for build names with spaces

Sergey Kandaurov 130 May 11, 2023 07:50AM

Re: [PATCH 04 of 11] Tests: fixed server_tokens tests for build names with spaces

Maxim Dounin 153 May 14, 2023 02:54PM

[PATCH 05 of 11] Tests: added has_feature() test for SSL libraries

Maxim Dounin 148 April 16, 2023 11:46PM

[PATCH 09 of 11] Tests: simplified stream SSL tests with IO::Socket::SSL

Maxim Dounin 159 April 16, 2023 11:46PM

[PATCH 06 of 11] Tests: reworked mail SSL tests to use IO::Socket::SSL

Maxim Dounin 176 April 16, 2023 11:46PM

Re: [PATCH 06 of 11] Tests: reworked mail SSL tests to use IO::Socket::SSL

Sergey Kandaurov 252 May 11, 2023 10:40AM

Re: [PATCH 06 of 11] Tests: reworked mail SSL tests to use IO::Socket::SSL

Maxim Dounin 141 May 14, 2023 05:12PM

[PATCH 08 of 11] Tests: reworked stream SSL tests to use IO::Socket::SSL

Maxim Dounin 156 April 16, 2023 11:46PM

[PATCH 07 of 11] Tests: simplified mail_imap_ssl.t

Maxim Dounin 154 April 16, 2023 11:46PM

[PATCH 10 of 11] Tests: reworked http SSL tests to use IO::Socket::SSL

Maxim Dounin 158 April 16, 2023 11:46PM

Re: [PATCH 10 of 11] Tests: reworked http SSL tests to use IO::Socket::SSL

Sergey Kandaurov 145 May 11, 2023 10:28AM

Re: [PATCH 10 of 11] Tests: reworked http SSL tests to use IO::Socket::SSL

Maxim Dounin 173 May 18, 2023 11:18AM

[PATCH 11 of 11] Tests: simplified http SSL tests with IO::Socket::SSL

Maxim Dounin 156 April 16, 2023 11:46PM

[PATCH 0 of 6] SSL tests refactoring fixes

Sergey Kandaurov 131 May 22, 2023 03:58PM

[PATCH 1 of 6] Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring

Sergey Kandaurov 141 May 22, 2023 03:58PM

Re: [PATCH 1 of 6] Tests: unbreak ssl_stapling.t after IO::Socket::SSL refactoring

Maxim Dounin 152 May 22, 2023 04:38PM

[PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key

Sergey Kandaurov 134 May 22, 2023 03:58PM

Re: [PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key

Maxim Dounin 129 May 22, 2023 07:44PM

Re: [PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key

Sergey Kandaurov 143 May 23, 2023 06:36AM

Re: [PATCH 2 of 6] Tests: unbreak tests with IO::Socket:SSL lacking SSL_session_key

Maxim Dounin 193 May 23, 2023 09:32AM

[PATCH 3 of 6] Tests: unbreak stream_ssl_variables.t with old IO::Socket::SSL

Sergey Kandaurov 130 May 22, 2023 04:00PM

Re: [PATCH 3 of 6] Tests: unbreak stream_ssl_variables.t with old IO::Socket::SSL

Maxim Dounin 129 May 22, 2023 07:52PM

[PATCH 4 of 6] Tests: avoid specifying PSS in sigalgs unless in TLSv1.3

Sergey Kandaurov 136 May 22, 2023 04:00PM

Re: [PATCH 4 of 6] Tests: avoid specifying PSS in sigalgs unless in TLSv1.3

Maxim Dounin 130 May 22, 2023 09:08PM

Re: [PATCH 4 of 6] Tests: avoid specifying PSS in sigalgs unless in TLSv1.3

Sergey Kandaurov 260 May 23, 2023 08:24AM

[PATCH 5 of 6] Tests: added missing socket_ssl_alpn guard in mail_ssl.t

Sergey Kandaurov 132 May 22, 2023 04:00PM

Re: [PATCH 5 of 6] Tests: added missing socket_ssl_alpn guard in mail_ssl.t

Maxim Dounin 126 May 22, 2023 10:18PM

Re: [PATCH 5 of 6] Tests: added missing socket_ssl_alpn guard in mail_ssl.t

Sergey Kandaurov 220 May 23, 2023 08:56AM

[PATCH 6 of 6] Tests: added missing socket_ssl_reused prerequisites

Sergey Kandaurov 129 May 22, 2023 04:00PM

Re: [PATCH 6 of 6] Tests: added missing socket_ssl_reused prerequisites

Maxim Dounin 117 May 22, 2023 10:40PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 236
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready