diff options
author | Matt Caswell <matt@openssl.org> | 2021-04-27 15:04:11 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2021-04-29 15:52:49 +0100 |
commit | d77ba503a2cf1c83098baca345327761b991d191 (patch) | |
tree | 43465b1fdc06cb965a6def3c09f2514f90027d35 /test | |
parent | 8ce390e1399a27e1c6e14756927e2331ee1cb5c5 (diff) |
Adjust ssl_test_new for SHA1 security level
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
ssl_test_new needed some adjustments in the event that DTLSv1.2 is disabled.
There are also adjustments required if using the FIPS module and DTLSv1.2
is disabled. The only DTLS version supported by the FIPS module is
DTLSv1.2.
Fixes #14956
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15047)
Diffstat (limited to 'test')
-rw-r--r-- | test/ssl-tests/16-dtls-certstatus.cnf | 8 | ||||
-rw-r--r-- | test/ssl-tests/16-dtls-certstatus.cnf.in | 33 | ||||
-rw-r--r-- | test/ssl-tests/18-dtls-renegotiate.cnf | 20 | ||||
-rw-r--r-- | test/ssl-tests/18-dtls-renegotiate.cnf.in | 28 | ||||
-rw-r--r-- | test/ssl-tests/protocol_version.pm | 7 |
5 files changed, 68 insertions, 28 deletions
diff --git a/test/ssl-tests/16-dtls-certstatus.cnf b/test/ssl-tests/16-dtls-certstatus.cnf index a561803a55..ee46be4d3b 100644 --- a/test/ssl-tests/16-dtls-certstatus.cnf +++ b/test/ssl-tests/16-dtls-certstatus.cnf @@ -15,11 +15,11 @@ client = 0-certstatus-good-client [0-certstatus-good-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [0-certstatus-good-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -43,11 +43,11 @@ client = 1-certstatus-bad-client [1-certstatus-bad-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [1-certstatus-bad-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer diff --git a/test/ssl-tests/16-dtls-certstatus.cnf.in b/test/ssl-tests/16-dtls-certstatus.cnf.in index c5545991d2..ebab3d7ca2 100644 --- a/test/ssl-tests/16-dtls-certstatus.cnf.in +++ b/test/ssl-tests/16-dtls-certstatus.cnf.in @@ -15,15 +15,22 @@ use warnings; package ssltests; use OpenSSL::Test::Utils; -our @tests = ( +our $fips_mode; + +our @tests = (); + +our @tests_standard = ( { name => "certstatus-good", server => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", extra => { - "CertStatus" => "GoodResponse", + "CertStatus" => "GoodResponse" }, }, - client => {}, + client => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + }, test => { "Method" => "DTLS", "ExpectedResult" => "Success" @@ -32,11 +39,14 @@ our @tests = ( { name => "certstatus-bad", server => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", extra => { "CertStatus" => "BadResponse", }, }, - client => {}, + client => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + }, test => { "Method" => "DTLS", "ExpectedResult" => "ClientFail" @@ -48,11 +58,14 @@ our @tests_sctp = ( { name => "certstatus-good", server => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", extra => { "CertStatus" => "GoodResponse", }, }, - client => {}, + client => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + }, test => { "Method" => "DTLS", "UseSCTP" => "Yes", @@ -62,11 +75,14 @@ our @tests_sctp = ( { name => "certstatus-bad", server => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", extra => { "CertStatus" => "BadResponse", }, }, - client => {}, + client => { + "CipherString" => "DEFAULT:\@SECLEVEL=0", + }, test => { "Method" => "DTLS", "UseSCTP" => "Yes", @@ -75,4 +91,7 @@ our @tests_sctp = ( }, ); -push @tests, @tests_sctp unless disabled("sctp") || disabled("sock"); +if (!$fips_mode || !disabled("dtls1_2")) { + push @tests, @tests_standard; + push @tests, @tests_sctp unless disabled("sctp") || disabled("sock"); +} diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf b/test/ssl-tests/18-dtls-renegotiate.cnf index 9204dd2c5d..0f3d1eae23 100644 --- a/test/ssl-tests/18-dtls-renegotiate.cnf +++ b/test/ssl-tests/18-dtls-renegotiate.cnf @@ -22,12 +22,12 @@ client = 0-renegotiate-client-no-resume-client [0-renegotiate-client-no-resume-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 Options = NoResumptionOnRenegotiation PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [0-renegotiate-client-no-resume-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -50,11 +50,11 @@ client = 1-renegotiate-client-resume-client [1-renegotiate-client-resume-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [1-renegotiate-client-resume-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -77,11 +77,11 @@ client = 2-renegotiate-server-resume-client [2-renegotiate-server-resume-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [2-renegotiate-server-resume-client] -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -104,14 +104,14 @@ client = 3-renegotiate-client-auth-require-client [3-renegotiate-client-auth-require-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Require [3-renegotiate-client-auth-require-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer @@ -135,14 +135,14 @@ client = 4-renegotiate-client-auth-once-client [4-renegotiate-client-auth-once-server] Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem VerifyMode = Once [4-renegotiate-client-auth-once-client] Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem -CipherString = DEFAULT +CipherString = DEFAULT:@SECLEVEL=0 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem VerifyMode = Peer diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf.in b/test/ssl-tests/18-dtls-renegotiate.cnf.in index b8ec735eb2..400ec67d31 100644 --- a/test/ssl-tests/18-dtls-renegotiate.cnf.in +++ b/test/ssl-tests/18-dtls-renegotiate.cnf.in @@ -15,20 +15,26 @@ use warnings; package ssltests; use OpenSSL::Test::Utils; +our $fips_mode; + our @tests = (); foreach my $sctp ("No", "Yes") { next if disabled("sctp") && $sctp eq "Yes"; + next if disabled("dtls1_2") && $fips_mode; my $suffix = ($sctp eq "No") ? "" : "-sctp"; our @tests_basic = ( { name => "renegotiate-client-no-resume".$suffix, server => { + "CipherString" => 'DEFAULT:@SECLEVEL=0', "Options" => "NoResumptionOnRenegotiation" }, - client => {}, + client => { + "CipherString" => 'DEFAULT:@SECLEVEL=0' + }, test => { "Method" => "DTLS", "UseSCTP" => $sctp, @@ -39,8 +45,12 @@ foreach my $sctp ("No", "Yes") }, { name => "renegotiate-client-resume".$suffix, - server => {}, - client => {}, + server => { + "CipherString" => 'DEFAULT:@SECLEVEL=0' + }, + client => { + "CipherString" => 'DEFAULT:@SECLEVEL=0' + }, test => { "Method" => "DTLS", "UseSCTP" => $sctp, @@ -60,8 +70,12 @@ foreach my $sctp ("No", "Yes") # and if so, what to? { name => "renegotiate-server-resume".$suffix, - server => {}, - client => {}, + server => { + "CipherString" => 'DEFAULT:@SECLEVEL=0' + }, + client => { + "CipherString" => 'DEFAULT:@SECLEVEL=0' + }, test => { "Method" => "DTLS", "UseSCTP" => $sctp, @@ -75,10 +89,12 @@ foreach my $sctp ("No", "Yes") server => { "VerifyCAFile" => test_pem("root-cert.pem"), "VerifyMode" => "Require", + "CipherString" => 'DEFAULT:@SECLEVEL=0' }, client => { "Certificate" => test_pem("ee-client-chain.pem"), "PrivateKey" => test_pem("ee-key.pem"), + "CipherString" => 'DEFAULT:@SECLEVEL=0' }, test => { "Method" => "DTLS", @@ -93,10 +109,12 @@ foreach my $sctp ("No", "Yes") server => { "VerifyCAFile" => test_pem("root-cert.pem"), "VerifyMode" => "Once", + "CipherString" => 'DEFAULT:@SECLEVEL=0' }, client => { "Certificate" => test_pem("ee-client-chain.pem"), "PrivateKey" => test_pem("ee-key.pem"), + "CipherString" => 'DEFAULT:@SECLEVEL=0' }, test => { "Method" => "DTLS", diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm index 9e9b9a892d..4e4ce365d6 100644 --- a/test/ssl-tests/protocol_version.pm +++ b/test/ssl-tests/protocol_version.pm @@ -102,7 +102,10 @@ $min_dtls_enabled_fips = min_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disab $max_dtls_enabled_fips = max_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips); sub no_tests { - my ($dtls) = @_; + my ($dtls, $fips) = @_; + if ($dtls && $fips) { + return disabled("dtls1_2"); + } return $dtls ? alldisabled("dtls1", "dtls1_2") : alldisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3"); } @@ -134,7 +137,7 @@ sub generate_version_tests { $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled; } - if (no_tests($dtls)) { + if (no_tests($dtls, $fips)) { return; } |