From ee1986c58ccb81d1224d09a7cb56b2043fa6a2e8 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Wed, 4 May 2022 18:19:02 +0200
Subject: [PATCH] Make TLS tests on SECLEVEL 0

As https://github.com/openssl/openssl/pull/18236 is going to
ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above,
we have to adjust GOST TLS tests.
---
 tcl_tests/ssl.try | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/tcl_tests/ssl.try b/tcl_tests/ssl.try
index 5bc5087..1c5f9e9 100644
--- a/tcl_tests/ssl.try
+++ b/tcl_tests/ssl.try
@@ -43,36 +43,36 @@ if {[info exists env(ALG_LIST)]} {
 
 array set suites {
 rsa:1024 {ECDHE-RSA-AES256-SHA@SECLEVEL=0}
-gost2001:XA {GOST2001-GOST89-GOST89@SECLEVEL=1 GOST2001-NULL-GOST94@SECLEVEL=0 LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=1 IANA-GOST2012-GOST8912-GOST8912@SECLEVEL=1 GOST2012-NULL-GOST12@SECLEVEL=0}
-gost2012_256:XA {LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=1 GOST2012-NULL-GOST12@SECLEVEL=0}
-gost2012_512:A {LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=1 GOST2012-NULL-GOST12@SECLEVEL=0}
+gost2001:XA {GOST2001-GOST89-GOST89@SECLEVEL=0 GOST2001-NULL-GOST94@SECLEVEL=0 LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=0 IANA-GOST2012-GOST8912-GOST8912@SECLEVEL=0 GOST2012-NULL-GOST12@SECLEVEL=0}
+gost2012_256:XA {LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=0 GOST2012-NULL-GOST12@SECLEVEL=0}
+gost2012_512:A {LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=0 GOST2012-NULL-GOST12@SECLEVEL=0}
 }
 
 #
 # Incompatible cipher suites
 #
 array set badsuites {
-gost2012_256:XA {GOST2001-GOST89-GOST89@SECLEVEL=1 GOST2001-NULL-GOST94@SECLEVEL=0} 
-gost2012_512:A {GOST2001-GOST89-GOST89@SECLEVEL=1 GOST2001-NULL-GOST94@SECLEVEL=0}
+gost2012_256:XA {GOST2001-GOST89-GOST89@SECLEVEL=0 GOST2001-NULL-GOST94@SECLEVEL=0} 
+gost2012_512:A {GOST2001-GOST89-GOST89@SECLEVEL=0 GOST2001-NULL-GOST94@SECLEVEL=0}
 }
 
 #
 # Default cipher suite negotiated for algorithm
 #
 array set defsuite {
-rsa:1024 ECDHE-RSA-AES256-SHA@SECLEVEL=1
+rsa:1024 ECDHE-RSA-AES256-SHA@SECLEVEL=0
 #gost94:XA GOST94-GOST89-GOST89
-gost2001:XA GOST2012-GOST8912-GOST8912@SECLEVEL=1
-gost2012_256:XA LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=1
-gost2012_512:A LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=1
+gost2001:XA GOST2012-GOST8912-GOST8912@SECLEVEL=0
+gost2012_256:XA LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=0
+gost2012_512:A LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=0
 }
 
 array set defsuite_12 {
-rsa:1024 ECDHE-RSA-AES256-GCM-SHA384@SECLEVEL=1
+rsa:1024 ECDHE-RSA-AES256-GCM-SHA384@SECLEVEL=0
 #gost94:XA GOST94-GOST89-GOST89
-gost2001:XA LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=1
-gost2012_256:XA GOST2012-MAGMA-MAGMAOMAC@SECLEVEL=1
-gost2012_512:A GOST2012-MAGMA-MAGMAOMAC@SECLEVEL=1
+gost2001:XA LEGACY-GOST2012-GOST8912-GOST8912@SECLEVEL=0
+gost2012_256:XA GOST2012-MAGMA-MAGMAOMAC@SECLEVEL=0
+gost2012_512:A GOST2012-MAGMA-MAGMAOMAC@SECLEVEL=0
 }
 
 set proto_list {"TLSv1" "TLSv1.1" "TLSv1.2"}
@@ -180,7 +180,7 @@ foreach proto $proto_list {
 					-verify 1 -state -cipher $suite] \
 					[list -www -cert localhost_$alg_fn/cert.pem \
 					-key localhost_$alg_fn/seckey.pem \
-					-cipher DHE-RSA-AES256-SHA@SECLEVEL=1 $protos($proto)] {}] 
+					-cipher DHE-RSA-AES256-SHA@SECLEVEL=0 $protos($proto)] {}] 
 				list [lindex $list 2] [grep ":fatal:" [lindex $list 1]]
 			} 0 [list 1 "SSL3 alert read:fatal:handshake failure
 "]
-- 
2.39.2