[openssl] OpenSSL_1_1_1-stable update
tomas at openssl.org
tomas at openssl.org
Mon Aug 30 10:28:29 UTC 2021
The branch OpenSSL_1_1_1-stable has been updated
via f661c76a9e27a87f4bbbed135faf89a3fccac75f (commit)
from 0888183816636f994a3384cde211c88e0d4d1f6a (commit)
- Log -----------------------------------------------------------------
commit f661c76a9e27a87f4bbbed135faf89a3fccac75f
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date: Fri Aug 27 21:34:37 2021 +0200
Fix no-tls1_3 tests
This recently added test needs DH2048 to work without tls1_3.
Fixes: #16335
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16453)
-----------------------------------------------------------------------
Summary of changes:
.github/workflows/run-checker-ci.yml | 3 +--
.github/workflows/run-checker-daily.yml | 3 +--
test/recipes/80-test_ssl_old.t | 2 +-
test/ssltest_old.c | 41 +++++++++++++++++++++++++++++++++
4 files changed, 44 insertions(+), 5 deletions(-)
diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml
index 7a171bff9d..a999492207 100644
--- a/.github/workflows/run-checker-ci.yml
+++ b/.github/workflows/run-checker-ci.yml
@@ -20,8 +20,7 @@ jobs:
no-tests,
no-threads,
no-tls,
-# no-tls1_3 temporarily disabled due to failures to be investigated separately
-# no-tls1_3,
+ no-tls1_3,
no-ts,
no-ui,
]
diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml
index c1b0327ae3..e335b87b31 100644
--- a/.github/workflows/run-checker-daily.yml
+++ b/.github/workflows/run-checker-daily.yml
@@ -50,8 +50,7 @@ jobs:
no-egd,
no-engine,
no-external-tests,
-# no-tls1_3 temporarily disabled due to failures to be investigated separately
-# no-tls1_3,
+ no-tls1_3,
no-fuzz-afl,
no-fuzz-libfuzzer,
no-gost,
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 6f5fdb7669..9800de0fc8 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -519,7 +519,7 @@ sub testssl {
skip "skipping auto PSK tests", 1
if ($no_dh || $no_psk || $no_ec);
- ok(run(test(['ssltest_old', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])),
+ ok(run(test(['ssltest_old', '-dhe2048', '-psk', '0102030405', '-cipher', '@SECLEVEL=2:DHE-PSK-AES128-CCM'])),
'test auto DH meets security strength');
}
}
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index 36e6031f3a..cc98e4f866 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -95,6 +95,7 @@ struct app_verify_arg {
static DH *get_dh512(void);
static DH *get_dh1024(void);
static DH *get_dh1024dsa(void);
+static DH *get_dh2048(void);
#endif
static char *psk_key = NULL; /* by default PSK is not used */
@@ -641,6 +642,8 @@ static void sv_usage(void)
" -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n");
fprintf(stderr,
" -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
+ fprintf(stderr,
+ " -dhe2048 - use 2048 bit key (rfc3526 pime) for DHE\n");
fprintf(stderr, " -no_dhe - disable DHE\n");
#endif
#ifndef OPENSSL_NO_EC
@@ -895,6 +898,7 @@ int main(int argc, char *argv[])
#ifndef OPENSSL_NO_DH
DH *dh;
int dhe512 = 0, dhe1024dsa = 0;
+ int dhe2048 = 0;
#endif
int no_dhe = 0;
int no_psk = 0;
@@ -989,6 +993,13 @@ int main(int argc, char *argv[])
#else
fprintf(stderr,
"ignoring -dhe512, since I'm compiled without DH\n");
+#endif
+ } else if (strcmp(*argv, "-dhe2048") == 0) {
+#ifndef OPENSSL_NO_DH
+ dhe2048 = 1;
+#else
+ fprintf(stderr,
+ "ignoring -dhe2048, since I'm compiled without DH\n");
#endif
} else if (strcmp(*argv, "-dhe1024dsa") == 0) {
#ifndef OPENSSL_NO_DH
@@ -1482,6 +1493,8 @@ int main(int argc, char *argv[])
dh = get_dh1024dsa();
} else if (dhe512)
dh = get_dh512();
+ else if (dhe2048)
+ dh = get_dh2048();
else
dh = get_dh1024();
SSL_CTX_set_tmp_dh(s_ctx, dh);
@@ -3019,6 +3032,34 @@ static DH *get_dh1024dsa(void)
DH_set_length(dh, 160);
return dh;
}
+
+static DH *get_dh2048(void)
+{
+ BIGNUM *p = NULL, *g = NULL;
+ DH *dh = NULL;
+
+ if ((dh = DH_new()) == NULL)
+ return NULL;
+
+ g = BN_new();
+ if (g == NULL || !BN_set_word(g, 2))
+ goto err;
+
+ p = BN_get_rfc3526_prime_2048(NULL);
+ if (p == NULL)
+ goto err;
+
+ if (!DH_set0_pqg(dh, p, NULL, g))
+ goto err;
+
+ return dh;
+
+ err:
+ DH_free(dh);
+ BN_free(p);
+ BN_free(g);
+ return NULL;
+}
#endif
#ifndef OPENSSL_NO_PSK
More information about the openssl-commits
mailing list