Fix no-tls1_3 tests

This recently added test needs DH2048 to work without tls1_3.

Fixes: #16335
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16453)

diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml
index 7a171bff9d0a907bdb2038b618a87ed62a24eb19..a999492207b80f4fc9a0ad2bda28680535aa418d 100644 (file)
--- a/.github/workflows/run-checker-ci.yml
+++ b/.github/workflows/run-checker-ci.yml
@@ -20,8 +20,7 @@ jobs:
           no-tests,
           no-threads,
           no-tls,
-# no-tls1_3 temporarily disabled due to failures to be investigated separately
-#          no-tls1_3,
+          no-tls1_3,
           no-ts,
           no-ui,
         ]

diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml
index c1b0327ae34ce4ba8c05e106a5080b4d9056a034..e335b87b319aef2a6d576ddd405cbfe7bc120cf9 100644 (file)
--- a/.github/workflows/run-checker-daily.yml
+++ b/.github/workflows/run-checker-daily.yml
@@ -50,8 +50,7 @@ jobs:
           no-egd,
           no-engine,
           no-external-tests,
-# no-tls1_3 temporarily disabled due to failures to be investigated separately
-#          no-tls1_3,
+          no-tls1_3,
           no-fuzz-afl,
           no-fuzz-libfuzzer,
           no-gost,

diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 6f5fdb76693a5e8cad01894343b994d9806f6dc9..9800de0fc8a62a9315b43f81b8ffa7d9be47c6c7 100644 (file)
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -519,7 +519,7 @@ sub testssl {
            skip "skipping auto PSK tests", 1
                if ($no_dh || $no_psk || $no_ec);
 
-           ok(run(test(['ssltest_old', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])),
+           ok(run(test(['ssltest_old', '-dhe2048', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])),
               'test auto DH meets security strength');
          }
        }

diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index 36e6031f3a102f00a9308c85e7bd50f2f3998b9a..cc98e4f8665e8acad8306437d267afd268cf73a1 100644 (file)
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -95,6 +95,7 @@ struct app_verify_arg {
 static DH *get_dh512(void);
 static DH *get_dh1024(void);
 static DH *get_dh1024dsa(void);
+static DH *get_dh2048(void);
 #endif
 
 static char *psk_key = NULL;    /* by default PSK is not used */
@@ -641,6 +642,8 @@ static void sv_usage(void)
             " -dhe1024      - use 1024 bit key (safe prime) for DHE (default, no-op)\n");
     fprintf(stderr,
             " -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
+    fprintf(stderr,
+            " -dhe2048      - use 2048 bit key (rfc3526 pime) for DHE\n");
     fprintf(stderr, " -no_dhe       - disable DHE\n");
 #endif
 #ifndef OPENSSL_NO_EC
@@ -895,6 +898,7 @@ int main(int argc, char *argv[])
 #ifndef OPENSSL_NO_DH
     DH *dh;
     int dhe512 = 0, dhe1024dsa = 0;
+    int dhe2048 = 0;
 #endif
     int no_dhe = 0;
     int no_psk = 0;
@@ -989,6 +993,13 @@ int main(int argc, char *argv[])
 #else
             fprintf(stderr,
                     "ignoring -dhe512, since I'm compiled without DH\n");
+#endif
+        } else if (strcmp(*argv, "-dhe2048") == 0) {
+#ifndef OPENSSL_NO_DH
+            dhe2048 = 1;
+#else
+            fprintf(stderr,
+                    "ignoring -dhe2048, since I'm compiled without DH\n");
 #endif
         } else if (strcmp(*argv, "-dhe1024dsa") == 0) {
 #ifndef OPENSSL_NO_DH
@@ -1482,6 +1493,8 @@ int main(int argc, char *argv[])
             dh = get_dh1024dsa();
         } else if (dhe512)
             dh = get_dh512();
+        else if (dhe2048)
+            dh = get_dh2048();
         else
             dh = get_dh1024();
         SSL_CTX_set_tmp_dh(s_ctx, dh);
@@ -3019,6 +3032,34 @@ static DH *get_dh1024dsa(void)
     DH_set_length(dh, 160);
     return dh;
 }
+
+static DH *get_dh2048(void)
+{
+    BIGNUM *p = NULL, *g = NULL;
+    DH *dh = NULL;
+
+    if ((dh = DH_new()) == NULL)
+        return NULL;
+
+    g = BN_new();
+    if (g == NULL || !BN_set_word(g, 2))
+        goto err;
+
+    p = BN_get_rfc3526_prime_2048(NULL);
+    if (p == NULL)
+        goto err;
+
+    if (!DH_set0_pqg(dh, p, NULL, g))
+        goto err;
+
+    return dh;
+
+ err:
+    DH_free(dh);
+    BN_free(p);
+    BN_free(g);
+    return NULL;
+}
 #endif
 
 #ifndef OPENSSL_NO_PSK