1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
#! /usr/bin/env perl
# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use OpenSSL::Test::Utils;
use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file result_dir result_file/;
use File::Temp qw(tempfile);
BEGIN {
setup("test_sslapi");
}
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
my $fipsmodcfg_filename = "fipsmodule.cnf";
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
my $provconf = srctop_file("test", "fips-and-base.cnf");
# A modified copy of "fipsmodule.cnf"
my $fipsmodcfgnew_filename = "fipsmodule_mod.cnf";
my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename);
# An interum modified copy of "fipsmodule.cnf"
my $fipsmodcfgtmp_filename = "fipsmodule_tmp.cnf";
my $fipsmodcfgtmp = result_file($fipsmodcfgtmp_filename);
# A modified copy of "fips-and-base.cnf"
my $provconfnew = result_file("fips-and-base-temp.cnf");
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
plan tests => 4;
(undef, my $tmpfilename) = tempfile();
ok(run(test(["sslapitest", srctop_dir("test", "certs"),
srctop_file("test", "recipes", "90-test_sslapi_data",
"passwd.txt"), $tmpfilename, "default",
srctop_file("test", "default.cnf"),
srctop_file("test",
"recipes",
"90-test_sslapi_data",
"dhparams.pem")])),
"running sslapitest");
SKIP: {
skip "Skipping FIPS tests", 2
if $no_fips;
# NOTE that because by default we setup fips provider in pedantic mode,
# with >= 3.1.0 this just runs test_no_ems() to check that the connection
# fails if ems is not used and the fips check is enabled.
ok(run(test(["sslapitest", srctop_dir("test", "certs"),
srctop_file("test", "recipes", "90-test_sslapi_data",
"passwd.txt"), $tmpfilename, "fips",
$provconf,
srctop_file("test",
"recipes",
"90-test_sslapi_data",
"dhparams.pem")])),
"running sslapitest with default fips config");
run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
capture => 1, statusvar => \my $exit);
skip "FIPS provider version is too old for TLS_PRF EMS option test", 1
if !$exit;
# Read in a text $infile and replace the regular expression in $srch with the
# value in $repl and output to a new file $outfile.
sub replace_line_file_internal {
my ($infile, $srch, $repl, $outfile) = @_;
my $msg;
open(my $in, "<", $infile) or return 0;
read($in, $msg, 1024);
close $in;
$msg =~ s/$srch/$repl/;
open(my $fh, ">", $outfile) or return 0;
print $fh $msg;
close $fh;
return 1;
}
# Read in the text input file $infile
# and replace a single Key = Value line with a new value in $value.
# OR remove the Key = Value line if the passed in $value is empty.
# and then output a new file $outfile.
# $key is the Key to find
sub replace_kv_file {
my ($infile, $key, $value, $outfile) = @_;
my $srch = qr/$key\s*=\s*\S*\n/;
my $rep;
if ($value eq "") {
$rep = "";
} else {
$rep = "$key = $value\n";
}
return replace_line_file_internal($infile, $srch, $rep, $outfile);
}
# Read in the text $input file
# and search for the $key and replace with $newkey
# and then output a new file $outfile.
sub replace_line_file {
my ($infile, $key, $newkey, $outfile) = @_;
my $srch = qr/$key/;
my $rep = "$newkey";
return replace_line_file_internal($infile,
$srch, $rep, $outfile);
}
# The default fipsmodule.cnf in tests is set with -pedantic.
# In order to enable the tls1-prf-ems-check=0 in a fips config file
# copy the existing fipsmodule.cnf and modify it.
# Then copy fips-and-base.cfg to make a file that includes the changed file
$ENV{OPENSSL_CONF_INCLUDE} = result_dir();
ok(replace_kv_file($fipsmodcfg,
'tls1-prf-ems-check', '0',
$fipsmodcfgtmp)
&& replace_kv_file($fipsmodcfgtmp,
'rsa-pkcs15-pad-disabled', '0',
$fipsmodcfgnew)
&& replace_line_file($provconf,
$fipsmodcfg_filename, $fipsmodcfgnew_filename,
$provconfnew)
&& run(test(["sslapitest", srctop_dir("test", "certs"),
srctop_file("test", "recipes", "90-test_sslapi_data",
"passwd.txt"),
$tmpfilename, "fips",
$provconfnew,
srctop_file("test",
"recipes",
"90-test_sslapi_data",
"dhparams.pem")])),
"running sslapitest with modified fips config");
}
ok(run(test(["ssl_handshake_rtt_test"])),"running ssl_handshake_rtt_test");
unlink $tmpfilename;
|