test: account for RFC 7919 FFDHE negotiation in OpenSSL 4.0

Author: panva

test/parallel/test-tls-client-getephemeralkeyinfo.js

@@ -70,7 +70,10 @@ function test(size, type, name, cipher) {
 
 test(undefined, undefined, undefined, 'AES256-SHA256');
 test('auto', 'DH', undefined, 'DHE-RSA-AES256-GCM-SHA384');
-if (!hasOpenSSL(3, 2)) {
+if (hasOpenSSL(4, 0)) {
+  // OpenSSL 4.0 implements RFC 7919 FFDHE negotiation for TLS 1.2 and
+  // always selects FFDHE-2048 regardless of the server-supplied dhparam.
+} else if (!hasOpenSSL(3, 2)) {
   test(1024, 'DH', undefined, 'DHE-RSA-AES256-GCM-SHA384');
 } else {
   test(3072, 'DH', undefined, 'DHE-RSA-AES256-GCM-SHA384');

test/parallel/test-tls-client-mindhsize.js

@@ -13,6 +13,7 @@ const secLevel = require('internal/crypto/util').getOpenSSLSecLevel();
 const assert = require('assert');
 const tls = require('tls');
 const fixtures = require('../common/fixtures');
+const { hasOpenSSL } = require('../common/crypto');
 
 const key = fixtures.readKey('agent2-key.pem');
 const cert = fixtures.readKey('agent2-cert.pem');
@@ -24,7 +25,7 @@ function loadDHParam(n) {
   return fixtures.readKey(`dh${n}.pem`);
 }
 
-function test(size, err, next) {
+function test(size, err, next, minDHSizeOverride) {
   const options = {
     key: key,
     cert: cert,
@@ -46,7 +47,7 @@ function test(size, err, next) {
     // so that it fails when it makes a connection to the tls
     // server where is too small. This depends on the openssl
     // security level
-    const minDHSize = (secLevel > 1) ? 3072 : 2048;
+    const minDHSize = minDHSizeOverride ?? ((secLevel > 1) ? 3072 : 2048);
     const client = tls.connect({
       minDHSize: minDHSize,
       port: this.address().port,
@@ -84,7 +85,12 @@ function testDHE3072() {
   test(3072, false, null);
 }
 
-if (secLevel > 1) {
+if (hasOpenSSL(4, 0)) {
+  // OpenSSL 4.0 implements RFC 7919 FFDHE negotiation for TLS 1.2 and
+  // ignores the server-supplied dhparam in favor of FFDHE-2048. The 3072
+  // success case is therefore replaced by a 2048 success case.
+  testDHE2048(true, () => test(2048, false, null, 2048));
+} else if (secLevel > 1) {
   // Minimum size for OpenSSL security level 2 and above is 2048 by default
   testDHE2048(true, testDHE3072);
 } else {

test/parallel/test-tls-dhe.js

@@ -28,6 +28,7 @@ if (!common.hasCrypto) {
 
 const {
   opensslCli,
+  hasOpenSSL,
 } = require('../common/crypto');
 
 // OpenSSL has a set of security levels which affect what algorithms
@@ -104,9 +105,15 @@ function testCustomParam(keylen, expectedCipher) {
 }
 
 (async () => {
-  // By default, DHE is disabled while ECDHE is enabled.
+  // By default, DHE is disabled while ECDHE is enabled. OpenSSL 4.0
+  // implements RFC 7919 FFDHE negotiation for TLS 1.2 which enables DHE
+  // (with FFDHE-2048) even without a server-supplied dhparam.
   for (const dhparam of [undefined, null]) {
-    await test(dhparam, null, ecdheCipher);
+    if (hasOpenSSL(4, 0)) {
+      await test(dhparam, 2048, dheCipher);
+    } else {
+      await test(dhparam, null, ecdheCipher);
+    }
   }
 
   // The DHE parameters selected by OpenSSL depend on the strength of the
@@ -124,14 +131,24 @@ function testCustomParam(keylen, expectedCipher) {
 
   // Custom DHE parameters are supported (but discouraged).
   // 1024 is disallowed at security level 2 and above so use 3072 instead
-  // for higher security levels
+  // for higher security levels.
+  // OpenSSL 4.0 implements RFC 7919 FFDHE negotiation for TLS 1.2 and
+  // ignores the server-supplied dhparam in favor of FFDHE-2048, so the
+  // negotiated key length is always 2048.
   if (secLevel < 2) {
     await testCustomParam(1024, dheCipher);
+  } else if (hasOpenSSL(4, 0)) {
+    await test(loadDHParam(3072), 2048, dheCipher);
   } else {
     await testCustomParam(3072, dheCipher);
   }
   await testCustomParam(2048, dheCipher);
 
-  // Invalid DHE parameters are discarded. ECDHE remains enabled.
-  await testCustomParam('error', ecdheCipher);
+  // Invalid DHE parameters are discarded. Prior to OpenSSL 4.0 this
+  // disabled DHE and ECDHE was negotiated; since 4.0, FFDHE-2048 is used.
+  if (hasOpenSSL(4, 0)) {
+    await test(loadDHParam('error'), 2048, dheCipher);
+  } else {
+    await testCustomParam('error', ecdheCipher);
+  }
 })().then(common.mustCall());