summaryrefslogtreecommitdiffstats
path: root/test
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2020-03-21 01:39:27 +0100
committerMatt Caswell <matt@openssl.org>2020-04-19 15:40:55 +0200
commit4f6c704495248d4e61b7668201e3bef47a45e35f (patch)
tree8411141d372e98527a950c6d9a33490a1b41a5d6 /test
parentUse a non-default libctx in sslapitest (diff)
downloadopenssl-4f6c704495248d4e61b7668201e3bef47a45e35f.tar.xz
openssl-4f6c704495248d4e61b7668201e3bef47a45e35f.zip
Re-enable FIPS testing in sslapitest.c
Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11508)
Diffstat (limited to 'test')
-rw-r--r--test/recipes/90-test_sslapi.t30
-rw-r--r--test/sslapitest.c51
2 files changed, 58 insertions, 23 deletions
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
index 18ca860e23..5e137c5e77 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -19,30 +19,40 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
-plan tests => 2;
+plan tests =>
+ ($no_fips ? 0 : 2) # FIPS install test + sslapitest with fips
+ + 1; # sslapitest with default provider
(undef, my $tmpfilename) = tempfile();
-
$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
-ok(run(app(['openssl', 'fipsinstall',
- '-out', bldtop_file('providers', 'fipsinstall.cnf'),
- '-module', bldtop_file('providers', platform->dso('fips')),
- '-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
- '-section_name', 'fips_sect'])),
- "fipsinstall");
-
ok(run(test(["sslapitest", srctop_dir("test", "certs"),
srctop_file("test", "recipes", "90-test_sslapi_data",
"passwd.txt"), $tmpfilename, "default",
srctop_file("test", "default.cnf")])),
"running sslapitest");
+unless ($no_fips) {
+ ok(run(app(['openssl', 'fipsinstall',
+ '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+ '-module', bldtop_file('providers', platform->dso('fips')),
+ '-provider_name', 'fips', '-mac_name', 'HMAC',
+ '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-section_name', 'fips_sect'])),
+ "fipsinstall");
+
+ ok(run(test(["sslapitest", srctop_dir("test", "certs"),
+ srctop_file("test", "recipes", "90-test_sslapi_data",
+ "passwd.txt"), $tmpfilename, "fips",
+ srctop_file("test", "fips.cnf")])),
+ "running sslapitest");
+}
+
unlink $tmpfilename;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index ef078ad244..b1522b451d 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -64,6 +64,8 @@ static char *privkey = NULL;
static char *srpvfile = NULL;
static char *tmpfilename = NULL;
+static int is_fips = 0;
+
#define LOG_BUFFER_SIZE 2048
static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
static size_t server_log_buffer_index = 0;
@@ -3748,6 +3750,10 @@ static int test_ciphersuite_change(void)
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
+ || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
+ "TLS_AES_128_GCM_SHA256:"
+ "TLS_AES_256_GCM_SHA384:"
+ "TLS_AES_128_CCM_SHA256"))
|| !TEST_true(SSL_CTX_set_ciphersuites(cctx,
"TLS_AES_128_GCM_SHA256"))
|| !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
@@ -3765,12 +3771,11 @@ static int test_ciphersuite_change(void)
SSL_free(clientssl);
serverssl = clientssl = NULL;
-# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
/* Check we can resume a session with a different SHA-256 ciphersuite */
if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
- "TLS_CHACHA20_POLY1305_SHA256"))
- || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
- NULL, NULL))
+ "TLS_AES_128_CCM_SHA256"))
+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
+ &clientssl, NULL, NULL))
|| !TEST_true(SSL_set_session(clientssl, clntsess))
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE))
@@ -3784,7 +3789,6 @@ static int test_ciphersuite_change(void)
SSL_free(serverssl);
SSL_free(clientssl);
serverssl = clientssl = NULL;
-# endif
/*
* Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
@@ -4033,15 +4037,19 @@ static int test_tls13_ciphersuite(int idx)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *serverssl = NULL, *clientssl = NULL;
- static const char *t13_ciphers[] = {
- TLS1_3_RFC_AES_128_GCM_SHA256,
- TLS1_3_RFC_AES_256_GCM_SHA384,
- TLS1_3_RFC_AES_128_CCM_SHA256,
+ static const struct {
+ const char *ciphername;
+ int fipscapable;
+ } t13_ciphers[] = {
+ { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
+ { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
+ { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
- TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
- TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
+ { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
+ { TLS1_3_RFC_AES_256_GCM_SHA384
+ ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
# endif
- TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
+ { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
};
const char *t13_cipher = NULL;
const char *t12_cipher = NULL;
@@ -4076,7 +4084,9 @@ static int test_tls13_ciphersuite(int idx)
continue;
# endif
for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
- t13_cipher = t13_ciphers[i];
+ if (is_fips && !t13_ciphers[i].fipscapable)
+ continue;
+ t13_cipher = t13_ciphers[i].ciphername;
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, max_ver,
@@ -4194,6 +4204,16 @@ static int test_tls13_psk(int idx)
if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
"TLS_AES_128_GCM_SHA256")))
goto end;
+ } else {
+ /*
+ * As noted above the server should prefer SHA256 automatically. However
+ * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
+ * code works even if we are testing with only the FIPS provider loaded.
+ */
+ if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
+ "TLS_AES_256_GCM_SHA384:"
+ "TLS_AES_128_GCM_SHA256")))
+ goto end;
}
/*
@@ -4933,6 +4953,8 @@ static int test_export_key_mat(int tst)
if (tst == 1)
return 1;
#endif
+ if (is_fips && (tst == 0 || tst == 1))
+ return 1;
#ifdef OPENSSL_NO_TLS1_2
if (tst == 2)
return 1;
@@ -7303,6 +7325,9 @@ int setup_tests(void)
&& !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
return 0;
+ if (strcmp(modulename, "fips") == 0)
+ is_fips = 1;
+
if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
#ifdef OPENSSL_NO_CRYPTO_MDEBUG
TEST_error("not supported in this build");