From: Tobias Brunner Date: Mon, 25 Nov 2024 15:46:04 +0000 (+0100) Subject: unit-tests: Remove RSA/ECDSA schemes with weak hash algorithms (MD5/SHA-1) X-Git-Tag: 6.0.0rc2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b677e612dbe661dcd6cab10d95777259ef1abf1;p=thirdparty%2Fstrongswan.git unit-tests: Remove RSA/ECDSA schemes with weak hash algorithms (MD5/SHA-1) These have been discouraged for a long time and there are now more and more crypto libraries that have them disabled by default. However, for some we only can detect this at runtime, in particular in FIPS mode, so tests would fail as the plugins would still announce them. So instead we just remove the schemes from these tests for now (at least for RSA, removing signatures with SHA-1 completely isn't an option yet as that's still the default with some clients). Closes strongswan/strongswan#2523 --- diff --git a/src/libstrongswan/tests/suites/test_ecdsa.c b/src/libstrongswan/tests/suites/test_ecdsa.c index 0cb16f68f1..058508f188 100644 --- a/src/libstrongswan/tests/suites/test_ecdsa.c +++ b/src/libstrongswan/tests/suites/test_ecdsa.c @@ -26,7 +26,6 @@ static struct { int key_size; signature_scheme_t scheme; } schemes[] = { - { 0, SIGN_ECDSA_WITH_SHA1_DER }, { 0, SIGN_ECDSA_WITH_SHA256_DER }, { 0, SIGN_ECDSA_WITH_SHA384_DER }, { 0, SIGN_ECDSA_WITH_SHA512_DER }, diff --git a/src/libstrongswan/tests/suites/test_rsa.c b/src/libstrongswan/tests/suites/test_rsa.c index 7bc02f3d66..738f8e7f39 100644 --- a/src/libstrongswan/tests/suites/test_rsa.c +++ b/src/libstrongswan/tests/suites/test_rsa.c @@ -25,8 +25,6 @@ */ static signature_scheme_t schemes[] = { SIGN_RSA_EMSA_PKCS1_NULL, - SIGN_RSA_EMSA_PKCS1_MD5, - SIGN_RSA_EMSA_PKCS1_SHA1, SIGN_RSA_EMSA_PKCS1_SHA2_224, SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_384,