Permit (EC)DHEPSK KEX on SECLEVEL3

[beldmit]

Resolves: #17743

Checklist

• documentation is added or updated
• tests are added or updated

[mattcaswell]

Should this go to 1.1.1 as well?

[romen]

Nit: This PR could be a good candidate to also consistently use SSL_kDHE instead of SSL_kEDH in our codebase, and the same goes for SSL_kECDHE over SSL_kEECDH.
We already have them defined as respective aliases, and even in the OTC we were not entirely sure about the meaning of the less usual aliases used here.

openssl/ssl/ssl_local.h

Lines 165 to 172 in a044af4

	/* tmp DH key no DH cert */
	# define SSL_kDHE 0x00000002U
	/* synonym */
	# define SSL_kEDH SSL_kDHE
	/* ephemeral ECDH */
	# define SSL_kECDHE 0x00000004U
	/* synonym */
	# define SSL_kEECDH SSL_kECDHE

[romen]

Nit: I think it might be more readable to have L1023 initialize pfs_mask as zero, and set it to SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK here, so one can immediately verify what the check is doing.

[romen]

• Without specifying -tls1_2 or earlier, this test is not really covering the new code: if I understand this recipe correctly, the default is equivalent to -tls1_3 if nothing is specified. We should explicitly test for -tls1_2, not sure about previous versions.
• Maybe we could add also negative tests here: testing that the RSA PSK ciphers are not accepted at SECLEVEL=3.
• Also maybe we should fill the gap and add tests to also cover the SSL_kDHE and SSL_kECDHE in TLS < 1.3

[romen]

@mattcaswell you are more familiar with these tests than I am, can you check what I commented here?

[mattcaswell]

Without specifying -tls1_2 or earlier, this test is not really covering the new code: if I understand this recipe correctly, the default is equivalent to -tls1_3 if nothing is specified. We should explicitly test for -tls1_2, not sure about previous versions.

Yes - this is correct. Good catch.

[beldmit]

Too good catch - it doesn't work :)

[romen]

Should this go to 1.1.1 as well?

I think during the call there was consensus about considering #17743 as a bug, which would make it eligible for backport to 1.1.1.
We should probably add in the agenda for next meeting an item to discuss this once the PR is ready to have a final headcount on backporting it.

[romen]

@beldmit @mattcaswell I opened #17763 as an alternative to this: I started working on this yesterday but run out of time preparing the tests commit. Hopefully it should fix the CI errors.

[beldmit]

I see the same test failures as in my PR :(
Though yours, definitely, is more comprehensive.

[paulidale]

I don't think there is a need to discuss this on the OTC call. If it is a bug fix, it can go back to 1.1.1. If it isn't a bug fix it can't go into 3.0. Since it's going into 3.0, it's a bug fix.

[romen]

Closing as the alternative in #17763 and #17791 has been merged.