1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109207: bookworm-pu: package openssl/3.0.17-1~deb12u1 (7/7)

    From Sebastian Andrzej Siewior@21:1/5 to All on Sun Jul 13 15:00:01 2025
    [continued from previous message]

    + #Test 4: Downgrade from TLSv1.3 to TLSv1.1
    + $proxy->clear();
    + $testtype = DOWNGRADE_TO_TLS_1_1;
    + $proxy->clientflags($client_flags);
    + $proxy->serverflags($server_flags);
    + $proxy->ciphers($ciphers);
    + $proxy->start();
    + ok(is_illegal_parameter_client_alert(), "Downgrade TLSv1.3 to TLSv1.1");
    +
    + #Test 5: Downgrade from TLSv1.3 to TLSv1.1 (server sends TLSv1.2 signal)
    + $proxy->clear();
    + $testtype = DOWNGRADE_TO_TLS_1_1_WITH_TLS_1_2_SIGNAL;
    + $proxy->clientflags($client_flags);
    + $proxy->serverflags($server_flags);
    + $proxy->ciphers($ciphers);
    + $proxy->start();
    + ok(is_illegal_parameter_client_alert(),
    + "Downgrade TLSv1.3 to TLSv1.1 (server sends TLSv1.2 signal)");
    +
    + #Test 6: Downgrade from TLSv1.2 to TLSv1.1
    + $proxy->clear();
    + $testtype = DOWNGRADE_TO_TLS_1_1;
    + $proxy->clientflags($client_flags." -max_protocol TLSv1.2");
    + $proxy->serverflags($server_flags." -max_protocol TLSv1.2");
    + $proxy->ciphers($ciphers);
    + $proxy->start();
    + ok(is_illegal_parameter_client_alert(), "Downgrade TLSv1.2 to TLSv1.1");
    +
    + #Test 7: A client side protocol "hole" should not be detected as a downgrade
    $proxy->clear();
    $proxy->filter(undef);
    - $proxy->clientflags("-no_tls1_2");
    - $proxy->ciphers("AES128-SHA:\@SECLEVEL=0");
    + $proxy->clientflags($client_flags." -no_tls1_2");
    + $proxy->serverflags($server_flags);
    + $proxy->ciphers($ciphers);
    $proxy->start();
    ok(TLSProxy::Message->success(), "TLSv1.2 client-side protocol hole");

    - #Test 6: A server side protocol "hole" should not be detected as a downgrade
    + #Test 8: A server side protocol "hole" should not be detected as a downgrade
    $proxy->clear();
    $proxy->filter(undef);
    - $proxy->serverflags("-no_tls1_2");
    + $proxy->clientflags($client_flags);
    + $proxy->serverflags($server_flags." -no_tls1_2");
    + $proxy->ciphers($ciphers);
    $proxy->start();
    ok(TLSProxy::Message->success(), "TLSv1.2 server-side protocol hole");
    }

    +# Validate that the exchange fails with an illegal parameter alert from
    +# the client
    +sub is_illegal_parameter_client_alert
    +{
    + return 0 unless TLSProxy::Message->fail();
    + my $alert = TLSProxy::Message->alert();
    + return 1 if !$alert->server()
    + && $alert->description()
    + == TLSProxy::Message::AL_DESC_ILLEGAL_PARAMETER;
    + return 0;
    +}
    +
    sub downgrade_filter
    {
    my $proxy = shift;

    - # We're only interested in the initial ClientHello
    - if ($proxy->flight != 0) {
    + # We're only interested in the initial ClientHello and ServerHello
    + if ($proxy->flight > 1) {
    return;
    }

    - my $message = ${$proxy->message_list}[0];
    + my $message = ${$proxy->message_list}[$proxy->flight];
    +
    + # ServerHello
    + if ($proxy->flight == 1 && defined($message)) {
    + # Update the last byte of the downgrade signal
    + if ($testtype == DOWNGRADE_TO_TLS_1_2_WITH_TLS_1_1_SIGNAL) {
    + $message->random(substr($message->random, 0, 31) . "\0");
    + $message->repack();
    + } elsif ($testtype == DOWNGRADE_TO_TLS_1_1_WITH_TLS_1_2_SIGNAL) {
    + $message->random(substr($message->random, 0, 31) . "\1");
    + $message->repack();
    + }
    +
    + return;
    + }

    + # ClientHello
    + if ($proxy->flight == 0) {
    my $ext;
    if ($testtype == FALLBACK_FROM_TLS_1_3) {
    #The default ciphersuite we use for TLSv1.2 without any SCSV
    my @ciphersuites = (TLSProxy::Message::CIPHER_RSA_WITH_AES_128_CBC_SHA);
    $message->ciphersuite_len(2 * scalar @ciphersuites);
    $message->ciphersuites(\@ciphersuites);
    - } else {
    - if ($testtype == DOWNGRADE_TO_TLS_1_2) {
    + }
    + else {
    + if ($testtype == DOWNGRADE_TO_TLS_1_2
    + || $testtype == DOWNGRADE_TO_TLS_1_2_WITH_TLS_1_1_SIGNAL) {
    $ext = pack "C3",
    0x02, # Length
    0x03, 0x03; #TLSv1.2
    - } else {
    + }
    + else {
    $ext = pack "C3",
    0x02, # Length
    0x03, 0x02; #TLSv1.1
    }

    - $message->set_extension(TLSProxy::Message::EXT_SUPPORTED_VERSIONS, $ext);
    + $message->set_extension(TLSProxy::Message::EXT_SUPPORTED_VERSIONS, + $ext);
    }

    $message->repack();
    }
    +}

    diff -Nru -w openssl-3.0.16/test/recipes/80-test_ca.t openssl-3.0.17/test/recipes/80-test_ca.t
    --- openssl-3.0.16/test/recipes/80-test_ca.t 2025-02-11 15:47:41.000000000 +0100
    +++ openssl-3.0.17/test/recipes/80-test_ca.t 2025-07-01 14:11:11.000000000 +0200
    @@ -1,5 +1,5 @@
    #! /usr/bin/env perl
    -# Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
    +# Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved.
    #
    # Licensed under the Apache License 2.0 (the "License"). You may not use
    # this file except in compliance with the License. You can obtain a copy
    @@ -21,9 +21,7 @@
    $ENV{OPENSSL} = cmdstr(app(["openssl"]), display => 1);

    my $cnf = srctop_file("test","ca-and-certs.cnf");
    -my $std_openssl_cnf = '"'
    - . srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf")
    - . '"';
    +my $std_openssl_cnf = srctop_file("apps", $^O eq "VMS" ? "openssl-vms.cnf" : "openssl.cnf");

    rmtree("demoCA", { safe => 0 });

    @@ -33,14 +31,14 @@
    $ENV{OPENSSL_CONFIG} = qq(-config "$cnf");
    skip "failed creating CA structure", 4
    if !o