More precise testing of dhm_min_len An SSL client can be configured to insist on a minimum size for the Diffie-Hellman (DHM) parameters sent by the server. Add several test cases where the server sends parameters with exactly the minimum size (must be accepted) or parameters that are one bit too short (must be rejected). Make sure that there are test cases both where the boundary is byte-aligned and where it isn't. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

commit: 3e7b61c42b6dc45f3f2ca3bb41dc113166df03ba [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Tue Dec 08 22:31:52 2020 +0100
committer: Gilles Peskine <Gilles.Peskine@arm.com> Fri Apr 09 17:29:16 2021 +0200
tree: 40cf705eb266bf2c471370b789b22566e5bbed20
parent: 384a0880c4d65bd682f2e376e2addf9ae0551c6c [diff] [blame]
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 7ec83d2..0123521 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh

@@ -3960,6 +3960,20 @@
             0 \
             -C "DHM prime too short:"
 
+run_test    "DHM size: server 999, client 999, OK" \
+            "$P_SRV dhm_file=data_files/dh.999.pem" \
+            "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
+                    debug_level=1 dhmlen=999" \
+            0 \
+            -C "DHM prime too short:"
+
+run_test    "DHM size: server 1000, client 1000, OK" \
+            "$P_SRV dhm_file=data_files/dh.1000.pem" \
+            "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
+                    debug_level=1 dhmlen=1000" \
+            0 \
+            -C "DHM prime too short:"
+
 run_test    "DHM size: server 1000, client default, rejected" \
             "$P_SRV dhm_file=data_files/dh.1000.pem" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
@@ -3967,6 +3981,27 @@
             1 \
             -c "DHM prime too short:"
 
+run_test    "DHM size: server 1000, client 1001, rejected" \
+            "$P_SRV dhm_file=data_files/dh.1000.pem" \
+            "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
+                    debug_level=1 dhmlen=1001" \
+            1 \
+            -c "DHM prime too short:"
+
+run_test    "DHM size: server 999, client 1000, rejected" \
+            "$P_SRV dhm_file=data_files/dh.999.pem" \
+            "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
+                    debug_level=1 dhmlen=1000" \
+            1 \
+            -c "DHM prime too short:"
+
+run_test    "DHM size: server 998, client 999, rejected" \
+            "$P_SRV dhm_file=data_files/dh.998.pem" \
+            "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
+                    debug_level=1 dhmlen=999" \
+            1 \
+            -c "DHM prime too short:"
+
 run_test    "DHM size: server default, client 2049, rejected" \
             "$P_SRV" \
             "$P_CLI force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA \
commit	3e7b61c42b6dc45f3f2ca3bb41dc113166df03ba	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Tue Dec 08 22:31:52 2020 +0100
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Fri Apr 09 17:29:16 2021 +0200
tree	40cf705eb266bf2c471370b789b22566e5bbed20
parent	384a0880c4d65bd682f2e376e2addf9ae0551c6c [diff] [blame]