Merge remote-tracking branch 'origin/topic/awelzel/4035-btest-openssl-sha1-certs'

* origin/topic/awelzel/4035-btest-openssl-sha1-certs:
  external/subdir-btest.cfg: Set OPENSSL_ENABLE_SHA1_SIGNATURES=1
  btest/x509_verify: Drop OpenSSL 1.0 hack
  testing/btest: Use OPENSSL_ENABLE_SHA1_SIGNATURES

(cherry picked from commit 280e7acc6e)

CHANGES

@@ -1,3 +1,27 @@
+7.0.7-7 | 2025-05-19 11:17:50 -0700
+
+  * external/subdir-btest.cfg: Set OPENSSL_ENABLE_SHA1_SIGNATURES=1 (Arne Welzel, Corelight)
+
+    We already do something similar for OPENSSL_ENABLE_MD5_VERIFY=1
+
+    (cherry picked from commit 280e7acc6e99a33fa79f1c1b36cf0edffbdca72d)
+
+  * btest/x509_verify: Drop OpenSSL 1.0 hack (Arne Welzel, Corelight)
+
+    We do not have a distro in CI anymore that ships OpenSSL 1.0,
+    drop the hack.
+
+    (cherry picked from commit 280e7acc6e99a33fa79f1c1b36cf0edffbdca72d)
+
+  * GH-4035: testing/btest: Use OPENSSL_ENABLE_SHA1_SIGNATURES (Arne Welzel, Corelight)
+
+    This reverts the call to update-crypto-policies in the Fedora 41 image
+    and instead sets OPENSSL_ENABLE_SHA1_SIGNATURES in the individual tests.
+    This allows RHEL 10 or Fedora 41 users to run the tests in question
+    without needing to fiddle with system settings.
+
+    (cherry picked from commit 280e7acc6e99a33fa79f1c1b36cf0edffbdca72d)
+
 7.0.7-6 | 2025-05-19 09:22:22 -0700
 
   * Update paraglob submodule for GCC 15.1 build fix (Tim Wojtulewicz, Corelight)

VERSION

@@ -1 +1 @@
-7.0.7-6
+7.0.7-7

testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1

@@ -1,8 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-Validation result: certificate has expired
-Validation result: ok
-Resulting chain:
-Fingerprint: 70829f77ff4b6e908324a3f4e1940fce6c489098, Subject: CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP
-Fingerprint: 5deb8f339e264c19f6686f5f8f32b54a4c46b476, Subject: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
-Fingerprint: 32f30882622b87cf8856c63db873df0853b4dd27, Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
-Fingerprint: 742c3192e607e424eb4549542be1bbc53e6174e2, Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

testing/btest/bifs/x509_verify.zeek

@@ -1,14 +1,7 @@
-# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT
-
-# This is a hack: the results of OpenSSL 1.1's vs 1.0's
-# X509_verify_cert() -> X509_STORE_CTX_get1_chain() calls
-# differ.  Word seems to be that OpenSSL 1.1's cert-chain-building
-# code is significantly different/rewritten so may be the reason...
-
-# @TEST-EXEC: cp .stdout stdout-openssl-1.0
-# @TEST-EXEC: cp .stdout stdout-openssl-1.1
-
-# @TEST-EXEC: grep -q "ZEEK_HAVE_OPENSSL_1_1" $BUILD/CMakeCache.txt && btest-diff stdout-openssl-1.1 || btest-diff stdout-openssl-1.0
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
+#
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
 
 @load base/protocols/ssl
 

testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test

@@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -b -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
+#
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 @load base/protocols/ssl

testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek

@@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
+#
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT
 # @TEST-EXEC: cat ssl.log > ssl-all.log
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.zeek %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-all.log

testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek

@@ -1,6 +1,8 @@
-# @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
+#
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log
-# @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT
 # @TEST-EXEC: mv ssl.log ssl-twimg.log
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-twimg.log
 # @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT

testing/external/subdir-btest.cfg

@@ -25,4 +25,6 @@ BUILD=%(testbase)s/../../../%(build_dir)s
 ZEEK_DNS_FAKE=1
 # Fedora/CentOS/RedHat have MD5 disabled for certificate verification and need setting an environment variable to permit it:
 OPENSSL_ENABLE_MD5_VERIFY=1
+# Fedora/RedHat have SHA1 disabled for certificate verification and need setting an environment variable to permit it:
+OPENSSL_ENABLE_SHA1_SIGNATURES=1
 UBSAN_OPTIONS=print_stacktrace=1