[openssl] OpenSSL_1_1_1-stable update

tomas at openssl.org tomas at openssl.org
Mon Aug 30 10:28:29 UTC 2021 

The branch OpenSSL_1_1_1-stable has been updated
       via  f661c76a9e27a87f4bbbed135faf89a3fccac75f (commit)
      from  0888183816636f994a3384cde211c88e0d4d1f6a (commit)


- Log -----------------------------------------------------------------
commit f661c76a9e27a87f4bbbed135faf89a3fccac75f
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Fri Aug 27 21:34:37 2021 +0200

    Fix no-tls1_3 tests
    
    This recently added test needs DH2048 to work without tls1_3.
    
    Fixes: #16335
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16453)

-----------------------------------------------------------------------

Summary of changes:
 .github/workflows/run-checker-ci.yml    |  3 +--
 .github/workflows/run-checker-daily.yml |  3 +--
 test/recipes/80-test_ssl_old.t          |  2 +-
 test/ssltest_old.c                      | 41 +++++++++++++++++++++++++++++++++
 4 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml
index 7a171bff9d..a999492207 100644
--- a/.github/workflows/run-checker-ci.yml
+++ b/.github/workflows/run-checker-ci.yml
@@ -20,8 +20,7 @@ jobs:
           no-tests,
           no-threads,
           no-tls,
-# no-tls1_3 temporarily disabled due to failures to be investigated separately
-#          no-tls1_3,
+          no-tls1_3,
           no-ts,
           no-ui,
         ]
diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml
index c1b0327ae3..e335b87b31 100644
--- a/.github/workflows/run-checker-daily.yml
+++ b/.github/workflows/run-checker-daily.yml
@@ -50,8 +50,7 @@ jobs:
           no-egd,
           no-engine,
           no-external-tests,
-# no-tls1_3 temporarily disabled due to failures to be investigated separately
-#          no-tls1_3,
+          no-tls1_3,
           no-fuzz-afl,
           no-fuzz-libfuzzer,
           no-gost,
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 6f5fdb7669..9800de0fc8 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -519,7 +519,7 @@ sub testssl {
 	    skip "skipping auto PSK tests", 1
 	        if ($no_dh || $no_psk || $no_ec);
 
-	    ok(run(test(['ssltest_old', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])),
+	    ok(run(test(['ssltest_old', '-dhe2048', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])),
 	       'test auto DH meets security strength');
 	  }
 	}
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index 36e6031f3a..cc98e4f866 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -95,6 +95,7 @@ struct app_verify_arg {
 static DH *get_dh512(void);
 static DH *get_dh1024(void);
 static DH *get_dh1024dsa(void);
+static DH *get_dh2048(void);
 #endif
 
 static char *psk_key = NULL;    /* by default PSK is not used */
@@ -641,6 +642,8 @@ static void sv_usage(void)
             " -dhe1024      - use 1024 bit key (safe prime) for DHE (default, no-op)\n");
     fprintf(stderr,
             " -dhe1024dsa   - use 1024 bit key (with 160-bit subprime) for DHE\n");
+    fprintf(stderr,
+            " -dhe2048      - use 2048 bit key (rfc3526 pime) for DHE\n");
     fprintf(stderr, " -no_dhe       - disable DHE\n");
 #endif
 #ifndef OPENSSL_NO_EC
@@ -895,6 +898,7 @@ int main(int argc, char *argv[])
 #ifndef OPENSSL_NO_DH
     DH *dh;
     int dhe512 = 0, dhe1024dsa = 0;
+    int dhe2048 = 0;
 #endif
     int no_dhe = 0;
     int no_psk = 0;
@@ -989,6 +993,13 @@ int main(int argc, char *argv[])
 #else
             fprintf(stderr,
                     "ignoring -dhe512, since I'm compiled without DH\n");
+#endif
+        } else if (strcmp(*argv, "-dhe2048") == 0) {
+#ifndef OPENSSL_NO_DH
+            dhe2048 = 1;
+#else
+            fprintf(stderr,
+                    "ignoring -dhe2048, since I'm compiled without DH\n");
 #endif
         } else if (strcmp(*argv, "-dhe1024dsa") == 0) {
 #ifndef OPENSSL_NO_DH
@@ -1482,6 +1493,8 @@ int main(int argc, char *argv[])
             dh = get_dh1024dsa();
         } else if (dhe512)
             dh = get_dh512();
+        else if (dhe2048)
+            dh = get_dh2048();
         else
             dh = get_dh1024();
         SSL_CTX_set_tmp_dh(s_ctx, dh);
@@ -3019,6 +3032,34 @@ static DH *get_dh1024dsa(void)
     DH_set_length(dh, 160);
     return dh;
 }
+
+static DH *get_dh2048(void)
+{
+    BIGNUM *p = NULL, *g = NULL;
+    DH *dh = NULL;
+
+    if ((dh = DH_new()) == NULL)
+        return NULL;
+
+    g = BN_new();
+    if (g == NULL || !BN_set_word(g, 2))
+        goto err;
+
+    p = BN_get_rfc3526_prime_2048(NULL);
+    if (p == NULL)
+        goto err;
+
+    if (!DH_set0_pqg(dh, p, NULL, g))
+        goto err;
+
+    return dh;
+
+ err:
+    DH_free(dh);
+    BN_free(p);
+    BN_free(g);
+    return NULL;
+}
 #endif
 
 #ifndef OPENSSL_NO_PSK

More information about the openssl-commits mailing list