Adjust ssl_test_new for SHA1 security level

SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore
ssl_test_new needed some adjustments in the event that DTLSv1.2 is disabled.

There are also adjustments required if using the FIPS module and DTLSv1.2
is disabled. The only DTLS version supported by the FIPS module is
DTLSv1.2.

Fixes  #14956

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15047)

diff --git a/test/ssl-tests/16-dtls-certstatus.cnf b/test/ssl-tests/16-dtls-certstatus.cnf
index a561803a554415aef6722d2193d97eeb3669fa17..ee46be4d3bef18feba1525b5f83909a7b556e310 100644 (file)
--- a/test/ssl-tests/16-dtls-certstatus.cnf
+++ b/test/ssl-tests/16-dtls-certstatus.cnf
@@ -15,11 +15,11 @@ client = 0-certstatus-good-client
 
 [0-certstatus-good-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [0-certstatus-good-client]
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -43,11 +43,11 @@ client = 1-certstatus-bad-client
 
 [1-certstatus-bad-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [1-certstatus-bad-client]
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 

diff --git a/test/ssl-tests/16-dtls-certstatus.cnf.in b/test/ssl-tests/16-dtls-certstatus.cnf.in
index c5545991d23e6b102b283bf7780698ecadd69d78..ebab3d7ca2a5d29c27d4b5a7a06dd0e9f651bfb8 100644 (file)
--- a/test/ssl-tests/16-dtls-certstatus.cnf.in
+++ b/test/ssl-tests/16-dtls-certstatus.cnf.in
@@ -15,15 +15,22 @@ use warnings;
 package ssltests;
 use OpenSSL::Test::Utils;
 
-our @tests = (
+our $fips_mode;
+
+our @tests = ();
+
+our @tests_standard = (
     {
         name => "certstatus-good",
         server => {
+            "CipherString" => "DEFAULT:\@SECLEVEL=0",
             extra => {
-                "CertStatus" => "GoodResponse",
+                "CertStatus" => "GoodResponse"
             },
         },
-        client => {},
+        client => {
+            "CipherString" => "DEFAULT:\@SECLEVEL=0",
+        },
         test => {
             "Method" => "DTLS",
             "ExpectedResult" => "Success"
@@ -32,11 +39,14 @@ our @tests = (
     {
         name => "certstatus-bad",
         server => {
+            "CipherString" => "DEFAULT:\@SECLEVEL=0",
             extra => {
                 "CertStatus" => "BadResponse",
             },
         },
-        client => {},
+        client => {
+            "CipherString" => "DEFAULT:\@SECLEVEL=0",
+        },
         test => {
             "Method" => "DTLS",
             "ExpectedResult" => "ClientFail"
@@ -48,11 +58,14 @@ our @tests_sctp = (
     {
         name => "certstatus-good",
         server => {
+            "CipherString" => "DEFAULT:\@SECLEVEL=0",
             extra => {
                 "CertStatus" => "GoodResponse",
             },
         },
-        client => {},
+        client => {
+            "CipherString" => "DEFAULT:\@SECLEVEL=0",
+        },
         test => {
             "Method" => "DTLS",
             "UseSCTP" => "Yes",
@@ -62,11 +75,14 @@ our @tests_sctp = (
     {
         name => "certstatus-bad",
         server => {
+            "CipherString" => "DEFAULT:\@SECLEVEL=0",
             extra => {
                 "CertStatus" => "BadResponse",
             },
         },
-        client => {},
+        client => {
+            "CipherString" => "DEFAULT:\@SECLEVEL=0",
+        },
         test => {
             "Method" => "DTLS",
             "UseSCTP" => "Yes",
@@ -75,4 +91,7 @@ our @tests_sctp = (
     },
 );
 
-push @tests, @tests_sctp unless disabled("sctp") || disabled("sock");
+if  (!$fips_mode || !disabled("dtls1_2")) {
+    push @tests, @tests_standard;
+    push @tests, @tests_sctp unless disabled("sctp") || disabled("sock");
+}

diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf b/test/ssl-tests/18-dtls-renegotiate.cnf
index 9204dd2c5d15686727591f754a73adde309fc9f1..0f3d1eae239e221fd86678ad8c2df0ae88a74642 100644 (file)
--- a/test/ssl-tests/18-dtls-renegotiate.cnf
+++ b/test/ssl-tests/18-dtls-renegotiate.cnf
@@ -22,12 +22,12 @@ client = 0-renegotiate-client-no-resume-client
 
 [0-renegotiate-client-no-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 Options = NoResumptionOnRenegotiation
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [0-renegotiate-client-no-resume-client]
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -50,11 +50,11 @@ client = 1-renegotiate-client-resume-client
 
 [1-renegotiate-client-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [1-renegotiate-client-resume-client]
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -77,11 +77,11 @@ client = 2-renegotiate-server-resume-client
 
 [2-renegotiate-server-resume-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 
 [2-renegotiate-server-resume-client]
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
 
@@ -104,14 +104,14 @@ client = 3-renegotiate-client-auth-require-client
 
 [3-renegotiate-client-auth-require-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Require
 
 [3-renegotiate-client-auth-require-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer
@@ -135,14 +135,14 @@ client = 4-renegotiate-client-auth-once-client
 
 [4-renegotiate-client-auth-once-server]
 Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem
 VerifyMode = Once
 
 [4-renegotiate-client-auth-once-client]
 Certificate = ${ENV::TEST_CERTS_DIR}/ee-client-chain.pem
-CipherString = DEFAULT
+CipherString = DEFAULT:@SECLEVEL=0
 PrivateKey = ${ENV::TEST_CERTS_DIR}/ee-key.pem
 VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
 VerifyMode = Peer

diff --git a/test/ssl-tests/18-dtls-renegotiate.cnf.in b/test/ssl-tests/18-dtls-renegotiate.cnf.in
index b8ec735eb2f2683134ac7817b355249ef56df04e..400ec67d31168aeeac528e85f02816f9699af857 100644 (file)
--- a/test/ssl-tests/18-dtls-renegotiate.cnf.in
+++ b/test/ssl-tests/18-dtls-renegotiate.cnf.in
@@ -15,20 +15,26 @@ use warnings;
 package ssltests;
 use OpenSSL::Test::Utils;
 
+our $fips_mode;
+
 our @tests = ();
 
 foreach my $sctp ("No", "Yes")
 {
     next if disabled("sctp") && $sctp eq "Yes";
+    next if disabled("dtls1_2") && $fips_mode;
 
     my $suffix = ($sctp eq "No") ? "" : "-sctp";
     our @tests_basic = (
         {
             name => "renegotiate-client-no-resume".$suffix,
             server => {
+                "CipherString" => 'DEFAULT:@SECLEVEL=0',
                 "Options" => "NoResumptionOnRenegotiation"
             },
-            client => {},
+            client => {
+                "CipherString" => 'DEFAULT:@SECLEVEL=0'
+            },
             test => {
                 "Method" => "DTLS",
                 "UseSCTP" => $sctp,
@@ -39,8 +45,12 @@ foreach my $sctp ("No", "Yes")
         },
         {
             name => "renegotiate-client-resume".$suffix,
-            server => {},
-            client => {},
+            server => {
+                "CipherString" => 'DEFAULT:@SECLEVEL=0'
+            },
+            client => {
+                "CipherString" => 'DEFAULT:@SECLEVEL=0'
+            },
             test => {
                 "Method" => "DTLS",
                 "UseSCTP" => $sctp,
@@ -60,8 +70,12 @@ foreach my $sctp ("No", "Yes")
         # and if so, what to?
         {
             name => "renegotiate-server-resume".$suffix,
-            server => {},
-            client => {},
+            server => {
+                "CipherString" => 'DEFAULT:@SECLEVEL=0'
+            },
+            client => {
+                "CipherString" => 'DEFAULT:@SECLEVEL=0'
+            },
             test => {
                 "Method" => "DTLS",
                 "UseSCTP" => $sctp,
@@ -75,10 +89,12 @@ foreach my $sctp ("No", "Yes")
             server => {
                 "VerifyCAFile" => test_pem("root-cert.pem"),
                 "VerifyMode" => "Require",
+                "CipherString" => 'DEFAULT:@SECLEVEL=0'
             },
             client => {
                 "Certificate" => test_pem("ee-client-chain.pem"),
                 "PrivateKey"  => test_pem("ee-key.pem"),
+                "CipherString" => 'DEFAULT:@SECLEVEL=0'
             },
             test => {
                 "Method" => "DTLS",
@@ -93,10 +109,12 @@ foreach my $sctp ("No", "Yes")
             server => {
                 "VerifyCAFile" => test_pem("root-cert.pem"),
                 "VerifyMode" => "Once",
+                "CipherString" => 'DEFAULT:@SECLEVEL=0'
             },
             client => {
                 "Certificate" => test_pem("ee-client-chain.pem"),
                 "PrivateKey"  => test_pem("ee-key.pem"),
+                "CipherString" => 'DEFAULT:@SECLEVEL=0'
             },
             test => {
                 "Method" => "DTLS",

diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm
index 9e9b9a892d06e9bcbe2625bc250b421845dbab6c..4e4ce365d6e646d177ad2db1a64f075400cc624d 100644 (file)
--- a/test/ssl-tests/protocol_version.pm
+++ b/test/ssl-tests/protocol_version.pm
@@ -102,7 +102,10 @@ $min_dtls_enabled_fips = min_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disab
 $max_dtls_enabled_fips = max_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips);
 
 sub no_tests {
-    my ($dtls) = @_;
+    my ($dtls, $fips) = @_;
+    if ($dtls && $fips) {
+        return disabled("dtls1_2");
+    }
     return $dtls ? alldisabled("dtls1", "dtls1_2") :
       alldisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3");
 }
@@ -134,7 +137,7 @@ sub generate_version_tests {
         $max_enabled  = $dtls ? $max_dtls_enabled : $max_tls_enabled;
     }
 
-    if (no_tests($dtls)) {
+    if (no_tests($dtls, $fips)) {
         return;
     }