diff --git a/CHANGES b/CHANGES index 7b91234894..38313066fc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,27 @@ +7.0.7-7 | 2025-05-19 11:17:50 -0700 + + * external/subdir-btest.cfg: Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 (Arne Welzel, Corelight) + + We already do something similar for OPENSSL_ENABLE_MD5_VERIFY=1 + + (cherry picked from commit 280e7acc6e99a33fa79f1c1b36cf0edffbdca72d) + + * btest/x509_verify: Drop OpenSSL 1.0 hack (Arne Welzel, Corelight) + + We do not have a distro in CI anymore that ships OpenSSL 1.0, + drop the hack. + + (cherry picked from commit 280e7acc6e99a33fa79f1c1b36cf0edffbdca72d) + + * GH-4035: testing/btest: Use OPENSSL_ENABLE_SHA1_SIGNATURES (Arne Welzel, Corelight) + + This reverts the call to update-crypto-policies in the Fedora 41 image + and instead sets OPENSSL_ENABLE_SHA1_SIGNATURES in the individual tests. + This allows RHEL 10 or Fedora 41 users to run the tests in question + without needing to fiddle with system settings. + + (cherry picked from commit 280e7acc6e99a33fa79f1c1b36cf0edffbdca72d) + 7.0.7-6 | 2025-05-19 09:22:22 -0700 * Update paraglob submodule for GCC 15.1 build fix (Tim Wojtulewicz, Corelight) diff --git a/VERSION b/VERSION index 52e512e396..b3a90f5d8f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.0.7-6 +7.0.7-7 diff --git a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0 b/testing/btest/Baseline/bifs.x509_verify/out similarity index 100% rename from testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0 rename to testing/btest/Baseline/bifs.x509_verify/out diff --git a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1 b/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1 deleted file mode 100644 index 35d46a3393..0000000000 --- a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1 +++ /dev/null @@ -1,8 +0,0 @@ -### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. -Validation result: certificate has expired -Validation result: ok -Resulting chain: -Fingerprint: 70829f77ff4b6e908324a3f4e1940fce6c489098, Subject: CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP -Fingerprint: 5deb8f339e264c19f6686f5f8f32b54a4c46b476, Subject: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US -Fingerprint: 32f30882622b87cf8856c63db873df0853b4dd27, Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US -Fingerprint: 742c3192e607e424eb4549542be1bbc53e6174e2, Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US diff --git a/testing/btest/bifs/x509_verify.zeek b/testing/btest/bifs/x509_verify.zeek index cb59d3f4aa..aabb3496a6 100644 --- a/testing/btest/bifs/x509_verify.zeek +++ b/testing/btest/bifs/x509_verify.zeek @@ -1,14 +1,7 @@ -# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT - -# This is a hack: the results of OpenSSL 1.1's vs 1.0's -# X509_verify_cert() -> X509_STORE_CTX_get1_chain() calls -# differ. Word seems to be that OpenSSL 1.1's cert-chain-building -# code is significantly different/rewritten so may be the reason... - -# @TEST-EXEC: cp .stdout stdout-openssl-1.0 -# @TEST-EXEC: cp .stdout stdout-openssl-1.1 - -# @TEST-EXEC: grep -q "ZEEK_HAVE_OPENSSL_1_1" $BUILD/CMakeCache.txt && btest-diff stdout-openssl-1.1 || btest-diff stdout-openssl-1.0 +# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 +# +# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT >out +# @TEST-EXEC: btest-diff out @load base/protocols/ssl diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test index 4e5a20a2ce..6b5992f640 100644 --- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test @@ -1,4 +1,6 @@ -# @TEST-EXEC: zeek -b -C -r $TRACES/tls/ocsp-stapling.trace %INPUT +# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 +# +# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -C -r $TRACES/tls/ocsp-stapling.trace %INPUT # @TEST-EXEC: btest-diff .stdout @load base/protocols/ssl diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek index f878ead3db..763c2fa24f 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek +++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek @@ -1,4 +1,6 @@ -# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT +# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 +# +# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: cat ssl.log > ssl-all.log # @TEST-EXEC: zeek -b -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.zeek %INPUT # @TEST-EXEC: cat ssl.log >> ssl-all.log diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek index c3a32da70d..835261172d 100644 --- a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek +++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek @@ -1,6 +1,8 @@ -# @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT +# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1 +# +# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log -# @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT +# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT # @TEST-EXEC: mv ssl.log ssl-twimg.log # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-twimg.log # @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg index 20c8500948..9c7a1e2f5e 100644 --- a/testing/external/subdir-btest.cfg +++ b/testing/external/subdir-btest.cfg @@ -25,4 +25,6 @@ BUILD=%(testbase)s/../../../%(build_dir)s ZEEK_DNS_FAKE=1 # Fedora/CentOS/RedHat have MD5 disabled for certificate verification and need setting an environment variable to permit it: OPENSSL_ENABLE_MD5_VERIFY=1 +# Fedora/RedHat have SHA1 disabled for certificate verification and need setting an environment variable to permit it: +OPENSSL_ENABLE_SHA1_SIGNATURES=1 UBSAN_OPTIONS=print_stacktrace=1