.gitlab-ci.yml: enable run with SHA-1 enabled

This adds a CI run with SHA-1 enabled, and corrects issues in the
testsuite when that's the case.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 020267b57963767a6a3a3ec588e28eeb012afab0..a14cebb9d06213cb76b89bcb9ada7d8ff782af33 100644 (file)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -114,13 +114,14 @@ minimal.Fedora.x86_64:
   - tags
   retry: 1
 
+# This enables SSL3.0 and SHA-1 support
 SSL-3.0.Fedora.x86_64:
   stage: stage1-testing
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD
   script:
   - ./bootstrap
   - mkdir -p build && cd build &&
-    dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --enable-ssl3-support --disable-ssl2-support --disable-full-test-suite --enable-seccomp-tests --disable-doc --disable-guile &&
+    dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --enable-sha1-support --enable-ssl3-support --disable-ssl2-support --disable-full-test-suite --enable-seccomp-tests --disable-doc --disable-guile &&
     make -j$(nproc) && make check -j$(nproc)
   - cd ..
   tags:

diff --git a/tests/dn2.c b/tests/dn2.c
index 8732939ac98a75e0c5b039cc6d2d2e15c32da881..5c696f230166400c75952775bd5f9e93e7fc39cd 100644 (file)
--- a/tests/dn2.c
+++ b/tests/dn2.c
@@ -89,6 +89,8 @@ void doit(void)
        if (ret < 0)
                fail("x509_crt_print %d\n", ret);
 
+/* When allowing SHA1, the output is different: no broken! string */
+#ifndef ALLOW_SHA1
        if (out.size != strlen(info) ||
            strcasecmp((char *) out.data, info) != 0) {
                fprintf(stderr, "comparison fail (%d/%d)\nexpected: %s\n\n   got: %.*s\n\n",
@@ -96,6 +98,7 @@ void doit(void)
                     out.data);
                fail("comparison failed\n");
        }
+#endif
 
        gnutls_x509_crt_deinit(cert);
        gnutls_global_deinit();

diff --git a/tests/sign-is-secure.c b/tests/sign-is-secure.c
index 71446ee589154e1a05d39d507272ad5caba266ee..694fb143dee1bfa2d4775bffe109fcb673f28cdd 100644 (file)
--- a/tests/sign-is-secure.c
+++ b/tests/sign-is-secure.c
@@ -56,6 +56,7 @@
                fail("error testing %d/%s\n", sig, gnutls_sign_get_name(sig)); \
        }
 
+#ifndef ALLOW_SHA1
 #define CHECK_INSECURE_FOR_CERTS_SIG(sig) \
        ret = gnutls_sign_is_secure2(sig, 0); \
        if (ret == 0) { \
@@ -69,6 +70,9 @@
        if (ret == 0) { \
                fail("error testing %d/%s\n", sig, gnutls_sign_get_name(sig)); \
        }
+#else
+#define CHECK_INSECURE_FOR_CERTS_SIG(sig)
+#endif
 
 void doit(void)
 {
@@ -83,8 +87,11 @@ void doit(void)
        CHECK_INSECURE_SIG(GNUTLS_SIGN_RSA_MD2);
 
        for (i=1;i<GNUTLS_SIGN_MAX;i++) {
-               if (i==GNUTLS_SIGN_RSA_SHA1||i==GNUTLS_SIGN_DSA_SHA1||i==GNUTLS_SIGN_ECDSA_SHA1||
-                   i==GNUTLS_SIGN_RSA_MD5||i==GNUTLS_SIGN_RSA_MD2||i==GNUTLS_SIGN_UNKNOWN)
+#ifndef ALLOW_SHA1
+               if (i==GNUTLS_SIGN_RSA_SHA1||i==GNUTLS_SIGN_DSA_SHA1||i==GNUTLS_SIGN_ECDSA_SHA1)
+                       continue;
+#endif
+               if (i==GNUTLS_SIGN_RSA_MD5||i==GNUTLS_SIGN_RSA_MD2||i==GNUTLS_SIGN_UNKNOWN)
                        continue;
                /* skip any unused elements */
                if (gnutls_sign_algorithm_get_name(i)==NULL)