Merge pull request #433 from pghmcfc/no-sha1

Support running the test suite in an environment where sha1 isn't allowed by policy

Author: h-vn

Changes

@@ -4,6 +4,14 @@ Revision history for Perl extension Net::SSLeay.
 	- Pass RAND_seed()'s sole argument to the underlying RAND_seed() function in
 	  libcrypto, rather than passing the value of a non-existent second argument.
 	  Fixes GH-427. Thanks to cgf1 for the report.
+	- Avoid explicit and implicit use of weak hash algorithms,
+	  such as MD5 and SHA-1, in test suite. This allows tests
+	  44_sess.t and 45_exporter.t to correctly work on systems
+	  where crypto policies prohibit their direct use and TLS
+	  versions that require them. An example of such a system is
+	  Rocky Linux 9.2. Any Red Hat Enterprise Linux 9 and derived
+	  system is likely to have similar behaviour.  Thanks to Paul
+	  Howarth for the investigation and patches.
 
 1.93_02 2023-02-22
 	- Update ppport.h to version 3.68. This eliminates thousands of

t/local/33_x509_create_cert.t

@@ -98,8 +98,8 @@ is(Net::SSLeay::X509_NAME_cmp($ca_issuer, $ca_subject), 0, "X509_NAME_cmp");
         &Net::SSLeay::NID_crl_distribution_points => 'URI:http://pki.dom.com/crl1.pem,URI:http://pki.dom.com/crl2.pem',
     ), "P_X509_add_extensions");
 
-  ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname");
-  ok(Net::SSLeay::X509_sign($x509, $ca_pk, $sha1_digest), "X509_sign");
+  ok(my $sha256_digest = Net::SSLeay::EVP_get_digestbyname("sha256"), "EVP_get_digestbyname");
+  ok(Net::SSLeay::X509_sign($x509, $ca_pk, $sha256_digest), "X509_sign");
 
   is(Net::SSLeay::X509_get_version($x509), 3, "X509_get_version");  
   is(Net::SSLeay::X509_verify($x509, Net::SSLeay::X509_get_pubkey($ca_cert)), 1, "X509_verify");
@@ -208,8 +208,8 @@ is(Net::SSLeay::X509_NAME_cmp($ca_issuer, $ca_subject), 0, "X509_NAME_cmp");
 
   ok(Net::SSLeay::X509_REQ_set_version($req, 2), "X509_REQ_set_version");
 
-  ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname");
-  ok(Net::SSLeay::X509_REQ_sign($req, $pk, $sha1_digest), "X509_REQ_sign");
+  ok(my $sha256_digest = Net::SSLeay::EVP_get_digestbyname("sha256"), "EVP_get_digestbyname");
+  ok(Net::SSLeay::X509_REQ_sign($req, $pk, $sha256_digest), "X509_REQ_sign");
 
   ok(my $req_pubkey = Net::SSLeay::X509_REQ_get_pubkey($req), "X509_REQ_get_pubkey");
   is(Net::SSLeay::X509_REQ_verify($req, $req_pubkey), 1, "X509_REQ_verify");
@@ -250,7 +250,7 @@ is(Net::SSLeay::X509_NAME_cmp($ca_issuer, $ca_subject), 0, "X509_NAME_cmp");
   ok(Net::SSLeay::X509_set_pubkey($x509ss,$tmppkey), "X509_set_pubkey");
   Net::SSLeay::EVP_PKEY_free($tmppkey);
 
-  ok(Net::SSLeay::X509_sign($x509ss, $ca_pk, $sha1_digest), "X509_sign");
+  ok(Net::SSLeay::X509_sign($x509ss, $ca_pk, $sha256_digest), "X509_sign");
   like(my $crt_pem = Net::SSLeay::PEM_get_string_X509($x509ss), qr/-----BEGIN CERTIFICATE-----/, "PEM_get_string_X509");
 
   #write_file("tmp_cert2.crt.pem", $crt_pem);
@@ -318,8 +318,8 @@ is(Net::SSLeay::X509_NAME_cmp($ca_issuer, $ca_subject), 0, "X509_NAME_cmp");
     ok(Net::SSLeay::P_ASN1_TIME_set_isotime(Net::SSLeay::X509_get_notAfter($x509), "2038-01-01T00:00:00Z"), "P_ASN1_TIME_set_isotime+X509_get_notAfter");
   }
 
-  ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname");
-  ok(Net::SSLeay::X509_sign($x509, $ca_pk, $sha1_digest), "X509_sign");
+  ok(my $sha256_digest = Net::SSLeay::EVP_get_digestbyname("sha256"), "EVP_get_digestbyname");
+  ok(Net::SSLeay::X509_sign($x509, $ca_pk, $sha256_digest), "X509_sign");
 
   like(my $crt_pem = Net::SSLeay::PEM_get_string_X509($x509), qr/-----BEGIN CERTIFICATE-----/, "PEM_get_string_X509");
   like(my $key_pem = Net::SSLeay::PEM_get_string_PrivateKey($pk), qr/-----BEGIN (RSA )?PRIVATE KEY-----/, "PEM_get_string_PrivateKey");  
@@ -333,8 +333,8 @@ is(Net::SSLeay::X509_NAME_cmp($ca_issuer, $ca_subject), 0, "X509_NAME_cmp");
   ok(my $bio = Net::SSLeay::BIO_new_file($req_pem, 'r'), "BIO_new_file");
   ok(my $req = Net::SSLeay::PEM_read_bio_X509_REQ($bio), "PEM_read_bio_X509");
 
-  ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname");
-  is(unpack("H*", Net::SSLeay::X509_REQ_digest($req, $sha1_digest)), "372c21a20a6d4e15bf8ecefb487cc604d9a10960", "X509_REQ_digest");
+  ok(my $sha256_digest = Net::SSLeay::EVP_get_digestbyname("sha256"), "EVP_get_digestbyname");
+  is(unpack("H*", Net::SSLeay::X509_REQ_digest($req, $sha256_digest)), "420e99da1e23e192409ab2a5f1a9b09ac03c52fa4b8bd0d19e561358f9880e88", "X509_REQ_digest");
 
   ok(my $req2  = Net::SSLeay::X509_REQ_new(), "X509_REQ_new");  
   ok(my $name = Net::SSLeay::X509_REQ_get_subject_name($req), "X509_REQ_get_subject_name");

t/local/34_x509_crl.t

@@ -39,8 +39,8 @@ ok(my $ca_pk = Net::SSLeay::PEM_read_bio_PrivateKey($bio2), "PEM_read_bio_Privat
   is(Net::SSLeay::P_ASN1_TIME_get_isotime($time_next), '2020-07-08T00:00:00Z', "P_ASN1_TIME_get_isotime next");
 
   is(Net::SSLeay::X509_CRL_get_version($crl1), 1, "X509_CRL_get_version");
-  ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname");
-  is(unpack("H*",Net::SSLeay::X509_CRL_digest($crl1, $sha1_digest)), 'f0e5c853477a206c03f7347aee09a01d91df0ac5', "X509_CRL_digest");
+  ok(my $sha256_digest = Net::SSLeay::EVP_get_digestbyname("sha256"), "EVP_get_digestbyname");
+  is(unpack("H*",Net::SSLeay::X509_CRL_digest($crl1, $sha256_digest)), '4edc18ec956e722cbcf96589a43535c2d1d557e3cec55b1e421897827c3bb8be', "X509_CRL_digest");
 }
 
 { ### X509_CRL create
@@ -81,9 +81,9 @@ ok(my $ca_pk = Net::SSLeay::PEM_read_bio_PrivateKey($bio2), "PEM_read_bio_Privat
         &Net::SSLeay::NID_authority_key_identifier => 'keyid:always,issuer:always',
     ), "P_X509_CRL_add_extensions");
 
-  ok(my $sha1_digest = Net::SSLeay::EVP_get_digestbyname("sha1"), "EVP_get_digestbyname");
+  ok(my $sha256_digest = Net::SSLeay::EVP_get_digestbyname("sha256"), "EVP_get_digestbyname");
   ok(Net::SSLeay::X509_CRL_sort($crl), "X509_CRL_sort");
-  ok(Net::SSLeay::X509_CRL_sign($crl, $ca_pk, $sha1_digest), "X509_CRL_sign");
+  ok(Net::SSLeay::X509_CRL_sign($crl, $ca_pk, $sha256_digest), "X509_CRL_sign");
 
   like(my $crl_pem = Net::SSLeay::PEM_get_string_X509_CRL($crl), qr/-----BEGIN X509 CRL-----/, "PEM_get_string_X509_CRL");
 

t/local/44_sess.t

@@ -2,7 +2,7 @@
 
 use lib 'inc';
 
-use Net::SSLeay;
+use Net::SSLeay qw( ERROR_SSL );
 use Test::Net::SSLeay qw(
     can_fork data_file_path initialise_libssl is_protocol_usable new_ctx
     tcp_socket
@@ -14,7 +14,7 @@ use English qw( $EVAL_ERROR $OSNAME $PERL_VERSION -no_match_vars );
 if (not can_fork()) {
     plan skip_all => "fork() not supported on this system";
 } else {
-    plan tests => 58;
+    plan tests => 59;
 }
 
 initialise_libssl();
@@ -150,6 +150,7 @@ sub server_remove_cb
 my ($server_ctx, $client_ctx, $server_ssl, $client_ssl);
 
 my $server = tcp_socket();
+my $proto_count = 0;
 
 sub server
 {
@@ -265,6 +266,14 @@ sub client {
 	Net::SSLeay::set_fd($ssl, $cl);
 	my $ret = Net::SSLeay::connect($ssl);
 	if ($ret <= 0) {
+	    # Connection might fail due to attempted use of algorithm in key
+	    # exchange that is forbidden by security policy, resulting in ERROR_SSL
+	    my $ssl_err = Net::SSLeay::get_error($ssl, $ret);
+	    if ($ssl_err == ERROR_SSL) {
+	        diag("Protocol $proto, connect() failed, maybe due to security policy");
+	        $usable{$round} = 0;
+	        next;
+	    }
 	    diag("Protocol $proto, connect() returns $ret, Error: ".Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()));
 	}
 	my $msg = Net::SSLeay::read($ssl);
@@ -284,6 +293,7 @@ sub client {
 	Net::SSLeay::shutdown($ssl);
 	Net::SSLeay::free($ssl);
 	close($cl) || die("client close: $!");
+	$proto_count += 1;
     }
 
     maybe_sleep();
@@ -369,6 +379,8 @@ sub test_stats {
         }
     }
 
+    cmp_ok($proto_count, '>=', 1, "At least one protocol fully testable");
+
     #  use Data::Dumper; print "Server:\n" . Dumper(\%srv_stats);
     #  use Data::Dumper; print "Client:\n" . Dumper(\%clt_stats);
 }

t/local/45_exporter.t

@@ -2,7 +2,7 @@
 
 use lib 'inc';
 
-use Net::SSLeay;
+use Net::SSLeay qw( ERROR_SSL );
 use Test::Net::SSLeay qw(
     can_fork data_file_path initialise_libssl is_protocol_usable new_ctx
     tcp_socket
@@ -15,7 +15,7 @@ if (not can_fork()) {
 } elsif (!defined &Net::SSLeay::export_keying_material) {
     plan skip_all => "No export_keying_material()";
 } else {
-    plan tests => 36;
+    plan tests => 37;
 }
 
 initialise_libssl();
@@ -37,6 +37,7 @@ my (%server_stats, %client_stats);
 my ($server_ctx, $client_ctx, $server_ssl, $client_ssl);
 
 my $server = tcp_socket();
+my $proto_count = 0;
 
 sub server
 {
@@ -88,6 +89,16 @@ sub client {
             Net::SSLeay::set_fd( $ssl, $cl );
             my $ret = Net::SSLeay::connect($ssl);
             if ($ret <= 0) {
+                # Connection might fail due to attempted use of algorithm in key
+                # exchange that is forbidden by security policy, resulting in ERROR_SSL
+                my $ssl_err = Net::SSLeay::get_error($ssl, $ret);
+                if ($ssl_err == ERROR_SSL) {
+                    diag("Protocol $round, connect() failed, maybe due to security policy");
+                    SKIP: {
+                        skip( "$round not available in this enviornment", 9 );
+                    }
+                    next;
+                }
                 diag("Protocol $round, connect() returns $ret, Error: ".Net::SSLeay::ERR_error_string(Net::SSLeay::ERR_get_error()));
             }
 
@@ -100,6 +111,7 @@ sub client {
             Net::SSLeay::shutdown($ssl);
             Net::SSLeay::free($ssl);
             close($cl) || die("client close: $!");
+            $proto_count += 1;
         }
         else {
             SKIP: {
@@ -168,4 +180,7 @@ sub test_export_early
 server();
 client();
 waitpid $pid, 0;
+
+cmp_ok($proto_count, '>=', 1, "At least one protocol fully testable");
+
 exit(0);