From ef74a168f39da0a46c27d788ce32bef5ae0eec93 Mon Sep 17 00:00:00 2001
From: Boyd <77256382@qq.com>
Date: Sun, 2 Oct 2022 15:57:32 +0800
Subject: [PATCH 1/6] Allow set ssl security level 2 and ssl version

---
 ssl/ssl_cert.c          | 18 +++++++++++++++---
 ssl/statem/statem_lib.c |  4 ++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 2a879e8f3..6cb2e3bc6 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1080,9 +1080,21 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
     case SSL_SECOP_VERSION:
         if (!SSL_IS_DTLS(s)) {
 #ifndef OPENSSL_NO_NTLS
-            /* NTLS v1.1 not allowed at level 3 */
-            if (nid == NTLS_VERSION && level >= 3)
-                return 0;
+            /* NTLS v1.1 not suitable for above level 3 */
+            if (nid == NTLS_VERSION)
+            {
+                //https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
+                //level 3: Security level set to 128 bits of security. As a result RSA, DSA and DH keys shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited. 
+                //In addition to the level 2 exclusions cipher suites not offering forward secrecy are prohibited. TLS versions below 1.1 are not permitted. Session tickets are disabled.
+                if(level > 3)
+                {
+                    return 0;
+                }
+                else
+                {
+                    return 1;
+                }
+            }
 #endif
             /* SSLv3 not allowed at level 2 */
             if (nid <= SSL3_VERSION && level >= 2)
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index cff0338cf..d88011b33 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1770,7 +1770,11 @@ int ssl_set_version_bound(int method_version, int version, int *bound)
         return 1;
     }
 
+#ifndef OPENSSL_NO_NTLS
+    valid_tls = version >= NTLS1_1_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
+#else
     valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
+#endif
     valid_dtls =
         DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
         DTLS_VERSION_GE(version, DTLS1_BAD_VER);

From 3c7db2754b82385d2a987d1283b3929a11442f03 Mon Sep 17 00:00:00 2001
From: Boyd <77256382@qq.com>
Date: Sun, 2 Oct 2022 16:36:05 +0800
Subject: [PATCH 2/6] add security level and ssl version test for NTLS

---
 test/ssl_ntls_api_test.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/test/ssl_ntls_api_test.c b/test/ssl_ntls_api_test.c
index 79f20e7b2..426a92d7b 100644
--- a/test/ssl_ntls_api_test.c
+++ b/test/ssl_ntls_api_test.c
@@ -502,6 +502,12 @@ static int test_ntls_ssl_set_cert_pkey_api(int i)
     if (!TEST_true(ssl != NULL))
         goto err;
 
+    SSL_CTX_set_security_level(ctx, 2);
+# ifndef OPENSSL_NO_SM2
+    SSL_CTX_set_min_proto_version(ctx, NTLS1_1_VERSION);
+    SSL_CTX_set_max_proto_version(ctx, NTLS1_1_VERSION);
+#endif
+
     if (!TEST_int_eq(SSL_use_sign_certificate(ssl, sign_cert), 1))
         goto err;
 

From 4f5615e68678467104c3dc34733eea8e3942e913 Mon Sep 17 00:00:00 2001
From: Boyd <77256382@qq.com>
Date: Mon, 10 Oct 2022 12:54:39 +0800
Subject: [PATCH 3/6] update according to code style

---
 ssl/ssl_cert.c | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 6cb2e3bc6..60319a05f 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1080,21 +1080,18 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
     case SSL_SECOP_VERSION:
         if (!SSL_IS_DTLS(s)) {
 #ifndef OPENSSL_NO_NTLS
-            /* NTLS v1.1 not suitable for above level 3 */
-            if (nid == NTLS_VERSION)
-            {
-                //https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
-                //level 3: Security level set to 128 bits of security. As a result RSA, DSA and DH keys shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited. 
-                //In addition to the level 2 exclusions cipher suites not offering forward secrecy are prohibited. TLS versions below 1.1 are not permitted. Session tickets are disabled.
-                if(level > 3)
-                {
-                    return 0;
-                }
-                else
-                {
-                    return 1;
-                }
+
+ /* NTLS v1.1 not suitable for above level 3 
+ https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
+ level 3: Security level set to 128 bits of security. As a result RSA, DSA 
+ and DH keys shorter than 3072 bits and ECC keys shorter than 256 bits are 
+ prohibited. In addition to the level 2 exclusions cipher suites not 
+ offering forward secrecy are prohibited. TLS versions below 1.1 are not
+ permitted. Session tickets are disabled.     */
+            if (nid == NTLS_VERSION)  {
+                return level > 3 ? 0 : 1;
             }
+            
 #endif
             /* SSLv3 not allowed at level 2 */
             if (nid <= SSL3_VERSION && level >= 2)

From 4aa0dd96bac38961878dde0cb33f0864c2c8ba2d Mon Sep 17 00:00:00 2001
From: Boyd <77256382@qq.com>
Date: Mon, 10 Oct 2022 13:38:10 +0800
Subject: [PATCH 4/6] update according to code style

---
 ssl/ssl_cert.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 60319a05f..24fdf1f9c 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1081,17 +1081,19 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
         if (!SSL_IS_DTLS(s)) {
 #ifndef OPENSSL_NO_NTLS
 
- /* NTLS v1.1 not suitable for above level 3 
- https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
- level 3: Security level set to 128 bits of security. As a result RSA, DSA 
- and DH keys shorter than 3072 bits and ECC keys shorter than 256 bits are 
- prohibited. In addition to the level 2 exclusions cipher suites not 
- offering forward secrecy are prohibited. TLS versions below 1.1 are not
- permitted. Session tickets are disabled.     */
+            /* NTLS v1.1 not suitable for above level 3 
+            https://www.openssl.org/docs/man1.1.1/man3
+            /SSL_CTX_set_security_level.html
+            level 3: Security level set to 128 bits of security. 
+            As a result RSA, DSA and DH keys shorter than 3072 bits and ECC 
+            keys shorter than 256 bits are prohibited. In addition to the 
+            level 2 exclusions cipher suites not offering forward secrecy are 
+            prohibited. TLS versions below 1.1 are not  permitted. 
+            Session tickets are disabled. */
             if (nid == NTLS_VERSION)  {
                 return level > 3 ? 0 : 1;
             }
-            
+
 #endif
             /* SSLv3 not allowed at level 2 */
             if (nid <= SSL3_VERSION && level >= 2)

From 64dd5127156e0429e34c2ab2f4e70e4427635479 Mon Sep 17 00:00:00 2001
From: Boyd <77256382@qq.com>
Date: Mon, 10 Oct 2022 14:02:45 +0800
Subject: [PATCH 5/6] update test code, remove unrelated macro

---
 test/ssl_ntls_api_test.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/test/ssl_ntls_api_test.c b/test/ssl_ntls_api_test.c
index 426a92d7b..c6414428b 100644
--- a/test/ssl_ntls_api_test.c
+++ b/test/ssl_ntls_api_test.c
@@ -503,10 +503,8 @@ static int test_ntls_ssl_set_cert_pkey_api(int i)
         goto err;
 
     SSL_CTX_set_security_level(ctx, 2);
-# ifndef OPENSSL_NO_SM2
     SSL_CTX_set_min_proto_version(ctx, NTLS1_1_VERSION);
     SSL_CTX_set_max_proto_version(ctx, NTLS1_1_VERSION);
-#endif
 
     if (!TEST_int_eq(SSL_use_sign_certificate(ssl, sign_cert), 1))
         goto err;

From 10bd903a12d74145c23ece4f41fa09f4cc5bf363 Mon Sep 17 00:00:00 2001
From: Boyd <77256382@qq.com>
Date: Fri, 14 Oct 2022 08:20:22 +0800
Subject: [PATCH 6/6] Update according to code style

---
 ssl/ssl_cert.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 24fdf1f9c..48b5691de 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1081,16 +1081,17 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
         if (!SSL_IS_DTLS(s)) {
 #ifndef OPENSSL_NO_NTLS
 
-            /* NTLS v1.1 not suitable for above level 3 
-            https://www.openssl.org/docs/man1.1.1/man3
-            /SSL_CTX_set_security_level.html
-            level 3: Security level set to 128 bits of security. 
-            As a result RSA, DSA and DH keys shorter than 3072 bits and ECC 
-            keys shorter than 256 bits are prohibited. In addition to the 
-            level 2 exclusions cipher suites not offering forward secrecy are 
-            prohibited. TLS versions below 1.1 are not  permitted. 
-            Session tickets are disabled. */
-            if (nid == NTLS_VERSION)  {
+            /*-
+            * NTLS v1.1 not suitable for above level 3 
+            * https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
+            * level 3: Security level set to 128 bits of security. 
+            * As a result RSA, DSA and DH keys shorter than 3072 bits and ECC 
+            * keys shorter than 256 bits are prohibited. In addition to the 
+            * level 2 exclusions cipher suites not offering forward secrecy are 
+            * prohibited. TLS versions below 1.1 are not  permitted. 
+            * Session tickets are disabled. 
+            */
+            if (nid == NTLS_VERSION) {
                 return level > 3 ? 0 : 1;
             }