Commit 15a06488 authored by Emilia Kasper's avatar Emilia Kasper
Browse files

Enable DH tests 



In master, the 'dh' command is gone, so use 'dhparam' instead to
determine if we're compiled with DH.

Also, set "@SECLEVEL=1" for the weak DH test, so that it actually
passes.

Reviewed-by: default avatarDr Stephen Henson <steve@openssl.org>
parent f2e19cb1

test/ssltest.c

+2 −1
Original line number Diff line number Diff line
@@ -1429,7 +1429,8 @@ int main(int argc, char *argv[]) 
    }

    /*

     * Since we will use low security ciphersuites and keys for testing set

     * security level to zero.

     * security level to zero by default. Tests can override this by adding

     * "@SECLEVEL=n" to the cipher string.

     */

    SSL_CTX_set_security_level(c_ctx, 0);

    SSL_CTX_set_security_level(s_ctx, 0);

test/testssl

+5 −5
Original line number Diff line number Diff line
@@ -139,7 +139,7 @@ for protocol in TLSv1.2 SSLv3; do 
  for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do

    test_cipher $cipher $protocol

  done

  if ../util/shlib_wrap.sh ../apps/openssl no-dh; then

  if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then

    echo "skipping RSA+DHE tests"

  else

    for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
@@ -147,9 +147,9 @@ for protocol in TLSv1.2 SSLv3; do 
    done

    echo "testing connection with weak DH, expecting failure"

    if [ $protocol = "SSLv3" ] ; then

      $ssltest -cipher EDH -dhe512 -ssl3

      $ssltest -s_cipher "EDH" -c_cipher "EDH:@SECLEVEL=1" -dhe512 -ssl3

    else

      $ssltest -cipher EDH -dhe512

      $ssltest -s_cipher "EDH" -c_cipher "EDH:@SECLEVEL=1" -dhe512

    fi

    if [ $? -eq 0 ]; then

      echo "FAIL: connection with weak DH succeeded"
@@ -167,7 +167,7 @@ done 


#############################################################################



if ../util/shlib_wrap.sh ../apps/openssl no-dh; then

if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then

  echo skipping anonymous DH tests

else

  echo test tls1 with 1024bit anonymous DH, multiple handshakes
@@ -180,7 +180,7 @@ else 
  echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'

  ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1



  if ../util/shlib_wrap.sh ../apps/openssl no-dh; then

  if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then

    echo skipping RSA+DHE tests

  else

    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes

test/testssl.com

+1 −1
Original line number Diff line number Diff line
@@ -130,7 +130,7 @@ $ define/user sys$output nla0: 
$	mcr 'exe_dir'openssl no-rsa

$	no_rsa=$SEVERITY

$	define/user sys$output nla0:

$	mcr 'exe_dir'openssl no-dh

$	mcr 'exe_dir'openssl no-dhparam

$	no_dh=$SEVERITY

$

$	if no_dh