Enable DH tests

In master, the 'dh' command is gone, so use 'dhparam' instead to
determine if we're compiled with DH.

Also, set "@SECLEVEL=1" for the weak DH test, so that it actually
passes.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

diff --git a/test/ssltest.c b/test/ssltest.c
index f640d927f2a9016aba6d8930aff0ca29cc5b20bf..26cf96c87059c585d29498fa26661796ca061191 100644 (file)
--- a/test/ssltest.c
+++ b/test/ssltest.c
@@ -1429,7 +1429,8 @@ int main(int argc, char *argv[])
     }
     /*
      * Since we will use low security ciphersuites and keys for testing set
-     * security level to zero.
+     * security level to zero by default. Tests can override this by adding
+     * "@SECLEVEL=n" to the cipher string.
      */
     SSL_CTX_set_security_level(c_ctx, 0);
     SSL_CTX_set_security_level(s_ctx, 0);

diff --git a/test/testssl b/test/testssl
index 2998b7321eb822f8de2759b53c30034e9e2971b6..0f5db08b5fd5c68f99ee61a70ccef2c67d3c7106 100644 (file)
--- a/test/testssl
+++ b/test/testssl
@@ -139,7 +139,7 @@ for protocol in TLSv1.2 SSLv3; do
   for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
     test_cipher $cipher $protocol
   done
-  if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
+  if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then
     echo "skipping RSA+DHE tests"
   else
     for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do
@@ -147,9 +147,9 @@ for protocol in TLSv1.2 SSLv3; do
     done
     echo "testing connection with weak DH, expecting failure"
     if [ $protocol = "SSLv3" ] ; then
-      $ssltest -cipher EDH -dhe512 -ssl3
+      $ssltest -s_cipher "EDH" -c_cipher "EDH:@SECLEVEL=1" -dhe512 -ssl3
     else
-      $ssltest -cipher EDH -dhe512
+      $ssltest -s_cipher "EDH" -c_cipher "EDH:@SECLEVEL=1" -dhe512
     fi
     if [ $? -eq 0 ]; then
       echo "FAIL: connection with weak DH succeeded"
@@ -167,7 +167,7 @@ done
 
 #############################################################################
 
-if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
+if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then
   echo skipping anonymous DH tests
 else
   echo test tls1 with 1024bit anonymous DH, multiple handshakes
@@ -180,7 +180,7 @@ else
   echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
   ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
 
-  if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
+  if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then
     echo skipping RSA+DHE tests
   else
     echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes

diff --git a/test/testssl.com b/test/testssl.com
index 3782e352bb9a9967913bfd184534979d7198c58f..6f9b233e45034f75c323281207f83d37c71effa2 100644 (file)
--- a/test/testssl.com
+++ b/test/testssl.com
@@ -130,7 +130,7 @@ $   define/user sys$output nla0:
 $      mcr 'exe_dir'openssl no-rsa
 $      no_rsa=$SEVERITY
 $      define/user sys$output nla0:
-$      mcr 'exe_dir'openssl no-dh
+$      mcr 'exe_dir'openssl no-dhparam
 $      no_dh=$SEVERITY
 $
 $      if no_dh