test: update SSL old test in light of PKCS#1 version 1.5 padding change under FIPS

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25070)

diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index b967dc14c56748ff94c0c439b9ef09d53ce5579a..71db50c9c2a1f34d9554d4517eb2667683b0c338 100644 (file)
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -13,7 +13,7 @@ use warnings;
 use POSIX;
 use File::Basename;
 use File::Copy;
-use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr data_file/;
+use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr data_file result_dir result_file/;
 use OpenSSL::Test::Utils;
 
 BEGIN {
@@ -79,7 +79,7 @@ my $client_sess="client.ss";
 # If you're adding tests here, you probably want to convert them to the
 # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead.
 plan tests =>
-   ($no_fips ? 0 : 6)     # testssl with fips provider
+   ($no_fips ? 0 : 7)     # testssl with fips provider
     + 1                   # For testss
     + 5                   # For the testssl with default provider
     + 1                   # For security level 0 failure tests
@@ -105,8 +105,69 @@ if (disabled("legacy")) {
 
 testssl($Ukey, $Ucert, $CAcert, "default", $configfile);
 unless ($no_fips) {
-    testssl($Ukey, $Ucert, $CAcert, "fips",
-            srctop_file("test","fips-and-base.cnf"));
+    # Read in a text $infile and replace the regular expression in $srch with the
+    # value in $repl and output to a new file $outfile.
+    sub replace_line_file_internal {
+
+        my ($infile, $srch, $repl, $outfile) = @_;
+        my $msg;
+
+        open(my $in, "<", $infile) or return 0;
+        read($in, $msg, 1024);
+        close $in;
+
+        $msg =~ s/$srch/$repl/;
+
+        open(my $fh, ">", $outfile) or return 0;
+        print $fh $msg;
+        close $fh;
+        return 1;
+    }
+
+    # Read in the text input file $infile
+    # and replace a single Key = Value line with a new value in $value.
+    # OR remove the Key = Value line if the passed in $value is empty.
+    # and then output a new file $outfile.
+    # $key is the Key to find
+    sub replace_kv_file {
+        my ($infile, $key, $value, $outfile) = @_;
+        my $srch = qr/$key\s*=\s*\S*\n/;
+        my $rep;
+        if ($value eq "") {
+            $rep = "";
+        } else {
+           $rep = "$key = $value\n";
+        }
+        return replace_line_file_internal($infile, $srch, $rep, $outfile);
+    }
+
+    # Read in the text $input file
+    # and search for the $key and replace with $newkey
+    # and then output a new file $outfile.
+    sub replace_line_file {
+        my ($infile, $key, $newkey, $outfile) = @_;
+        my $srch = qr/$key/;
+        my $rep = "$newkey";
+        return replace_line_file_internal($infile,
+                                          $srch, $rep, $outfile);
+    }
+
+    # Rewrite the module configuration to all PKCS#1 v1.5 padding
+    my $fipsmodcfg_filename = "fipsmodule.cnf";
+    my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
+    my $provconf = srctop_file("test", "fips-and-base.cnf");
+    my $provconfnew = result_file("fips-and-base-temp.cnf");
+    my $fipsmodcfgnew_filename = "fipsmodule_mod.cnf";
+    my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename);
+    $ENV{OPENSSL_CONF_INCLUDE} = result_dir();
+    ok(replace_kv_file($fipsmodcfg,
+                       'rsa-pkcs15-padding-disabled', '0',
+                       $fipsmodcfgnew)
+       && replace_line_file($provconf,
+                            $fipsmodcfg_filename, $fipsmodcfgnew_filename,
+                            $provconfnew));
+
+    testssl($Ukey, $Ucert, $CAcert, "fips", $provconfnew);
 }
 
 # -----------