diff options
| author | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2021-08-27 21:34:37 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2021-08-30 12:28:08 +0200 |
| commit | f661c76a9e27a87f4bbbed135faf89a3fccac75f (patch) | |
| tree | e9b68392a5f0c59fb613c9cda2164fee7f0495ce /test | |
| parent | 0888183816636f994a3384cde211c88e0d4d1f6a (diff) | |
Fix no-tls1_3 tests
This recently added test needs DH2048 to work without tls1_3.
Fixes: #16335
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16453)
Diffstat (limited to 'test')
| -rw-r--r-- | test/recipes/80-test_ssl_old.t | 2 | ||||
| -rw-r--r-- | test/ssltest_old.c | 41 |
2 files changed, 42 insertions, 1 deletions
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 6f5fdb7669..9800de0fc8 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -519,7 +519,7 @@ sub testssl { skip "skipping auto PSK tests", 1 if ($no_dh || $no_psk || $no_ec); - ok(run(test(['ssltest_old', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])), + ok(run(test(['ssltest_old', '-dhe2048', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])), 'test auto DH meets security strength'); } } diff --git a/test/ssltest_old.c b/test/ssltest_old.c index 36e6031f3a..cc98e4f866 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -95,6 +95,7 @@ struct app_verify_arg { static DH *get_dh512(void); static DH *get_dh1024(void); static DH *get_dh1024dsa(void); +static DH *get_dh2048(void); #endif static char *psk_key = NULL; /* by default PSK is not used */ @@ -641,6 +642,8 @@ static void sv_usage(void) " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n"); fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); + fprintf(stderr, + " -dhe2048 - use 2048 bit key (rfc3526 pime) for DHE\n"); fprintf(stderr, " -no_dhe - disable DHE\n"); #endif #ifndef OPENSSL_NO_EC @@ -895,6 +898,7 @@ int main(int argc, char *argv[]) #ifndef OPENSSL_NO_DH DH *dh; int dhe512 = 0, dhe1024dsa = 0; + int dhe2048 = 0; #endif int no_dhe = 0; int no_psk = 0; @@ -990,6 +994,13 @@ int main(int argc, char *argv[]) fprintf(stderr, "ignoring -dhe512, since I'm compiled without DH\n"); #endif + } else if (strcmp(*argv, "-dhe2048") == 0) { +#ifndef OPENSSL_NO_DH + dhe2048 = 1; +#else + fprintf(stderr, + "ignoring -dhe2048, since I'm compiled without DH\n"); +#endif } else if (strcmp(*argv, "-dhe1024dsa") == 0) { #ifndef OPENSSL_NO_DH dhe1024dsa = 1; @@ -1482,6 +1493,8 @@ int main(int argc, char *argv[]) dh = get_dh1024dsa(); } else if (dhe512) dh = get_dh512(); + else if (dhe2048) + dh = get_dh2048(); else dh = get_dh1024(); SSL_CTX_set_tmp_dh(s_ctx, dh); @@ -3019,6 +3032,34 @@ static DH *get_dh1024dsa(void) DH_set_length(dh, 160); return dh; } + +static DH *get_dh2048(void) +{ + BIGNUM *p = NULL, *g = NULL; + DH *dh = NULL; + + if ((dh = DH_new()) == NULL) + return NULL; + + g = BN_new(); + if (g == NULL || !BN_set_word(g, 2)) + goto err; + + p = BN_get_rfc3526_prime_2048(NULL); + if (p == NULL) + goto err; + + if (!DH_set0_pqg(dh, p, NULL, g)) + goto err; + + return dh; + + err: + DH_free(dh); + BN_free(p); + BN_free(g); + return NULL; +} #endif #ifndef OPENSSL_NO_PSK |