Skip to content

Commit

Permalink
test: fix test-tls-client-mindhsize for OpenSSL32
Browse files Browse the repository at this point in the history
Refs: #53382

- OpenSSL32 has a minimum dh key size by 2048 by
  default.
- Create larter 3072 dh key needed for testing and
  adjust tests to use it for builds with OpenSSL32

Signed-off-by: Michael Dawson <midawson@redhat.com>
PR-URL: #54739
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
mhdawson authored and jasnell committed Sep 12, 2024
1 parent 8eb9353 commit d9ca8b0
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 9 deletions.
4 changes: 4 additions & 0 deletions test/fixtures/keys/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ all: \
dh512.pem \
dh1024.pem \
dh2048.pem \
dh3072.pem \
dherror.pem \
dh_private.pem \
dh_public.pem \
Expand Down Expand Up @@ -596,6 +597,9 @@ dh1024.pem:
dh2048.pem:
openssl dhparam -out dh2048.pem 2048

dh3072.pem:
openssl dhparam -out dh3072.pem 3072

dherror.pem: dh1024.pem
sed 's/^[^-].*/AAAAAAAAAA/g' dh1024.pem > dherror.pem

Expand Down
11 changes: 11 additions & 0 deletions test/fixtures/keys/dh3072.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
-----BEGIN DH PARAMETERS-----
MIIBiAKCAYEAmV6aZ8ADnmRQoF9aGlV1AmajCkoc2eEltua1KpGFrxM0cr99gcS9
/zxTDo8ixwPoHBOOBD+9MN6KbSJ+61xvu9yQ2qt8HfNcUI7QZxdVQ4ZHCQM3Jw8h
BPHFgjpx8w/pteZ3+L42felUxbd8/qfDv+gKsfuxrm6Ht7zzKLfbX9oNdJwpxX7N
yGP3nNadYDM/ZmvmEY8xh2dwLHSMaAP1gxuWiitdYXX60Yg6EFgIotznqbdW075D
KccGTTseFx9gNbxYkW33qX/p5IAf3wRFmptiRWCol88NHTDqtQRs0nhVQ1R28tiL
rQhSJLHLSa4esF+whfC64oXECr2AtarcKWG+LX1dEWI4SXqurnBPiBoyqfVWHS4b
PVgR90LlBJoXqblhsVrd+CkJI7ULDJmSA/cpgCqXH6vSvhb40yr5rpU4vZz+zhHY
CTXVpH95JD35PiZOfQYhfDA4LGvfICPLIH7E8YL5v2F6Xxsf8trI5KiAs1S3TN8b
lsLV6og5VoPXAgEC
-----END DH PARAMETERS-----
30 changes: 21 additions & 9 deletions test/parallel/test-tls-client-mindhsize.js
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,12 @@ function test(size, err, next) {
});

server.listen(0, function() {
// Client set minimum DH parameter size to 2048 bits so that
// it fails when it make a connection to the tls server where
// dhparams is 1024 bits
// Client set minimum DH parameter size to 2048 or 3072 bits
// so that it fails when it makes a connection to the tls
// server where is too small
const minDHSize = common.hasOpenSSL(3, 2) ? 3072 : 2048;
const client = tls.connect({
minDHSize: 2048,
minDHSize: minDHSize,
port: this.address().port,
rejectUnauthorized: false,
maxVersion: 'TLSv1.2',
Expand All @@ -60,16 +61,27 @@ function test(size, err, next) {
// A client connection fails with an error when a client has an
// 2048 bits minDHSize option and a server has 1024 bits dhparam
function testDHE1024() {
test(1024, true, testDHE2048);
test(1024, true, testDHE2048(false, null));
}

// Test a client connection when a client has an
// 2048 bits minDHSize option
function testDHE2048(expect_to_fail, next) {
test(2048, expect_to_fail, next);
}

// A client connection successes when a client has an
// 2048 bits minDHSize option and a server has 2048 bits dhparam
function testDHE2048() {
test(2048, false, null);
// 3072 bits minDHSize option and a server has 3072 bits dhparam
function testDHE3072() {
test(3072, false, null);
}

testDHE1024();
if (common.hasOpenSSL(3, 2)) {
// Minimum size for OpenSSL 3.2 is 2048 by default
testDHE2048(true, testDHE3072);
} else {
testDHE1024();
}

assert.throws(() => test(512, true, common.mustNotCall()),
/DH parameter is less than 1024 bits/);
Expand Down

0 comments on commit d9ca8b0

Please sign in to comment.