[ssl] Add tests for Perfect Forward Secrecy criteria on SECLEVEL >= 3

(manually cherry picked from commit d71151ae704847f4ac3f4a5f394ea64f1d229815)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17791)

2 files changed, 101 insertions, 8 deletions

diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 9800de0fc8..99e3ce5df3 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -476,7 +476,7 @@ sub testssl {
     subtest 'RSA/(EC)DHE/PSK tests' => sub {
 	######################################################################
 
-	plan tests => 6;
+	plan tests => 10;
 
       SKIP: {
 	  skip "TLSv1.0 is not supported by this OpenSSL build", 6
@@ -524,6 +524,43 @@ sub testssl {
 	  }
 	}
 
+      SKIP: {
+            skip "TLSv1.1 is not supported by this OpenSSL build", 4
+                if $no_tls1_1;
+
+        SKIP: {
+            skip "skipping auto DHE PSK test at SECLEVEL 3", 1
+                if ($no_dh || $no_psk);
+
+            ok(run(test(['ssltest_old', '-tls1_1', '-dhe4096', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:DHE-PSK-AES256-CBC-SHA384'])),
+               'test auto DHE PSK meets security strength');
+          }
+
+        SKIP: {
+            skip "skipping auto ECDHE PSK test at SECLEVEL 3", 1
+                if ($no_ec || $no_psk);
+
+            ok(run(test(['ssltest_old', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:ECDHE-PSK-AES256-CBC-SHA384'])),
+               'test auto ECDHE PSK meets security strength');
+          }
+
+        SKIP: {
+            skip "skipping no RSA PSK at SECLEVEL 3 test", 1
+                if ($no_rsa || $no_psk);
+
+            ok(!run(test(['ssltest_old', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:RSA-PSK-AES256-CBC-SHA384'])),
+               'test auto RSA PSK does not meet security level 3 requirements (PFS)');
+          }
+
+        SKIP: {
+            skip "skipping no PSK at SECLEVEL 3 test", 1
+                if ($no_psk);
+
+            ok(!run(test(['ssltest_old', '-tls1_1', '-no_dhe', '-psk', '0102030405', '-cipher', '@SECLEVEL=3:PSK-AES256-CBC-SHA384'])),
+               'test auto PSK does not meet security level 3 requirements (PFS)');
+          }
+	}
+
     };
 
     subtest 'Custom Extension tests' => sub {
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index cb450cb05d..61a98e2108 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -96,6 +96,7 @@ static DH *get_dh512(void);
 static DH *get_dh1024(void);
 static DH *get_dh1024dsa(void);
 static DH *get_dh2048(void);
+static DH *get_dh4096(void);
 #endif
 
 static char *psk_key = NULL;    /* by default PSK is not used */
@@ -643,7 +644,9 @@ static void sv_usage(void)
     fprintf(stderr,
             " -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
     fprintf(stderr,
-            " -dhe2048      - use 2048 bit key (rfc3526 pime) for DHE\n");
+            " -dhe2048      - use 2048 bit key (rfc3526 prime) for DHE\n");
+    fprintf(stderr,
+            " -dhe4096      - use 4096 bit key (rfc3526 prime) for DHE\n");
     fprintf(stderr, " -no_dhe       - disable DHE\n");
 #endif
 #ifndef OPENSSL_NO_EC
@@ -658,6 +661,12 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_TLS1
     fprintf(stderr, " -tls1         - use TLSv1\n");
 #endif
+#ifndef OPENSSL_NO_TLS1_1
+    fprintf(stderr, " -tls1_1       - use TLSv1.1\n");
+#endif
+#ifndef OPENSSL_NO_TLS1_2
+    fprintf(stderr, " -tls1_2       - use TLSv1.2\n");
+#endif
 #ifndef OPENSSL_NO_DTLS
     fprintf(stderr, " -dtls         - use DTLS\n");
 #ifndef OPENSSL_NO_DTLS1
@@ -883,7 +892,7 @@ int main(int argc, char *argv[])
     int badop = 0;
     enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM;
     int force = 0;
-    int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_2 = 0, ssl3 = 0;
+    int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_1 = 0, tls1_2 = 0, ssl3 = 0;
     int ret = EXIT_FAILURE;
     int client_auth = 0;
     int server_auth = 0, i;
@@ -900,7 +909,7 @@ int main(int argc, char *argv[])
 #ifndef OPENSSL_NO_DH
     DH *dh;
     int dhe512 = 0, dhe1024dsa = 0;
-    int dhe2048 = 0;
+    int dhe2048 = 0, dhe4096 = 0;
 #endif
     int no_dhe = 0;
     int no_psk = 0;
@@ -996,6 +1005,13 @@ int main(int argc, char *argv[])
             fprintf(stderr,
                     "ignoring -dhe512, since I'm compiled without DH\n");
 #endif
+        } else if (strcmp(*argv, "-dhe4096") == 0) {
+#ifndef OPENSSL_NO_DH
+            dhe4096 = 1;
+#else
+            fprintf(stderr,
+                    "ignoring -dhe4096, since I'm compiled without DH\n");
+#endif
         } else if (strcmp(*argv, "-dhe2048") == 0) {
 #ifndef OPENSSL_NO_DH
             dhe2048 = 1;
@@ -1029,6 +1045,8 @@ int main(int argc, char *argv[])
         }
         else if (strcmp(*argv, "-tls1_2") == 0) {
             tls1_2 = 1;
+        } else if (strcmp(*argv, "-tls1_1") == 0) {
+            tls1_1 = 1;
         } else if (strcmp(*argv, "-tls1") == 0) {
             tls1 = 1;
         } else if (strcmp(*argv, "-ssl3") == 0) {
@@ -1239,8 +1257,8 @@ int main(int argc, char *argv[])
         goto end;
     }
 
-    if (ssl3 + tls1 + tls1_2 + dtls + dtls1 + dtls12 > 1) {
-        fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1 or -dtls12 should "
+    if (ssl3 + tls1 + tls1_1 + tls1_2 + dtls + dtls1 + dtls12 > 1) {
+        fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_1, -tls1_2, -dtls, -dtls1 or -dtls12 should "
                 "be requested.\n");
         EXIT(1);
     }
@@ -1255,6 +1273,11 @@ int main(int argc, char *argv[])
         no_protocol = 1;
     else
 #endif
+#ifdef OPENSSL_NO_TLS1_1
+    if (tls1_1)
+        no_protocol = 1;
+    else
+#endif
 #ifdef OPENSSL_NO_TLS1_2
     if (tls1_2)
         no_protocol = 1;
@@ -1284,11 +1307,11 @@ int main(int argc, char *argv[])
         goto end;
     }
 
-    if (!ssl3 && !tls1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1
+    if (!ssl3 && !tls1 && !tls1_1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1
             && !reuse && !force) {
         fprintf(stderr, "This case cannot work.  Use -f to perform "
                 "the test anyway (and\n-d to see what happens), "
-                "or add one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n"
+                "or add one of -ssl3, -tls1, -tls1_1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n"
                 "to avoid protocol mismatch.\n");
         EXIT(1);
     }
@@ -1340,6 +1363,9 @@ int main(int argc, char *argv[])
     } else if (tls1) {
         min_version = TLS1_VERSION;
         max_version = TLS1_VERSION;
+    } else if (tls1_1) {
+        min_version = TLS1_1_VERSION;
+        max_version = TLS1_1_VERSION;
     } else if (tls1_2) {
         min_version = TLS1_2_VERSION;
         max_version = TLS1_2_VERSION;
@@ -1497,6 +1523,8 @@ int main(int argc, char *argv[])
             dh = get_dh512();
         else if (dhe2048)
             dh = get_dh2048();
+        else if (dhe4096)
+            dh = get_dh4096();
         else
             dh = get_dh1024();
         SSL_CTX_set_tmp_dh(s_ctx, dh);
@@ -3062,6 +3090,34 @@ static DH *get_dh2048(void)
     BN_free(g);
     return NULL;
 }
+
+static DH *get_dh4096(void)
+{
+    BIGNUM *p = NULL, *g = NULL;
+    DH *dh = NULL;
+
+    if ((dh = DH_new()) == NULL)
+        return NULL;
+
+    g = BN_new();
+    if (g == NULL || !BN_set_word(g, 2))
+        goto err;
+
+    p = BN_get_rfc3526_prime_4096(NULL);
+    if (p == NULL)
+        goto err;
+
+    if (!DH_set0_pqg(dh, p, NULL, g))
+        goto err;
+
+    return dh;
+
+ err:
+    DH_free(dh);
+    BN_free(p);
+    BN_free(g);
+    return NULL;
+}
 #endif
 
 #ifndef OPENSSL_NO_PSK