From 4f6c704495248d4e61b7668201e3bef47a45e35f Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Sat, 21 Mar 2020 00:39:27 +0000 Subject: [PATCH] Re-enable FIPS testing in sslapitest.c Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/11508) --- test/recipes/90-test_sslapi.t | 30 ++++++++++++++------- test/sslapitest.c | 51 ++++++++++++++++++++++++++--------- 2 files changed, 58 insertions(+), 23 deletions(-) diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t index 18ca860e23..5e137c5e77 100644 --- a/test/recipes/90-test_sslapi.t +++ b/test/recipes/90-test_sslapi.t @@ -19,30 +19,40 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); use platform; +my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); -plan tests => 2; +plan tests => + ($no_fips ? 0 : 2) # FIPS install test + sslapitest with fips + + 1; # sslapitest with default provider (undef, my $tmpfilename) = tempfile(); - $ENV{OPENSSL_MODULES} = bldtop_dir("providers"); $ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers"); -ok(run(app(['openssl', 'fipsinstall', - '-out', bldtop_file('providers', 'fipsinstall.cnf'), - '-module', bldtop_file('providers', platform->dso('fips')), - '-provider_name', 'fips', '-mac_name', 'HMAC', - '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', - '-section_name', 'fips_sect'])), - "fipsinstall"); - ok(run(test(["sslapitest", srctop_dir("test", "certs"), srctop_file("test", "recipes", "90-test_sslapi_data", "passwd.txt"), $tmpfilename, "default", srctop_file("test", "default.cnf")])), "running sslapitest"); +unless ($no_fips) { + ok(run(app(['openssl', 'fipsinstall', + '-out', bldtop_file('providers', 'fipsinstall.cnf'), + '-module', bldtop_file('providers', platform->dso('fips')), + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', + '-section_name', 'fips_sect'])), + "fipsinstall"); + + ok(run(test(["sslapitest", srctop_dir("test", "certs"), + srctop_file("test", "recipes", "90-test_sslapi_data", + "passwd.txt"), $tmpfilename, "fips", + srctop_file("test", "fips.cnf")])), + "running sslapitest"); +} + unlink $tmpfilename; diff --git a/test/sslapitest.c b/test/sslapitest.c index ef078ad244..b1522b451d 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -64,6 +64,8 @@ static char *privkey = NULL; static char *srpvfile = NULL; static char *tmpfilename = NULL; +static int is_fips = 0; + #define LOG_BUFFER_SIZE 2048 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; static size_t server_log_buffer_index = 0; @@ -3748,6 +3750,10 @@ static int test_ciphersuite_change(void) if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) + || !TEST_true(SSL_CTX_set_ciphersuites(sctx, + "TLS_AES_128_GCM_SHA256:" + "TLS_AES_256_GCM_SHA384:" + "TLS_AES_128_CCM_SHA256")) || !TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")) || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, @@ -3765,12 +3771,11 @@ static int test_ciphersuite_change(void) SSL_free(clientssl); serverssl = clientssl = NULL; -# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) /* Check we can resume a session with a different SHA-256 ciphersuite */ if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, - "TLS_CHACHA20_POLY1305_SHA256")) - || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, - NULL, NULL)) + "TLS_AES_128_CCM_SHA256")) + || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL)) || !TEST_true(SSL_set_session(clientssl, clntsess)) || !TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) @@ -3784,7 +3789,6 @@ static int test_ciphersuite_change(void) SSL_free(serverssl); SSL_free(clientssl); serverssl = clientssl = NULL; -# endif /* * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites @@ -4033,15 +4037,19 @@ static int test_tls13_ciphersuite(int idx) { SSL_CTX *sctx = NULL, *cctx = NULL; SSL *serverssl = NULL, *clientssl = NULL; - static const char *t13_ciphers[] = { - TLS1_3_RFC_AES_128_GCM_SHA256, - TLS1_3_RFC_AES_256_GCM_SHA384, - TLS1_3_RFC_AES_128_CCM_SHA256, + static const struct { + const char *ciphername; + int fipscapable; + } t13_ciphers[] = { + { TLS1_3_RFC_AES_128_GCM_SHA256, 1 }, + { TLS1_3_RFC_AES_256_GCM_SHA384, 1 }, + { TLS1_3_RFC_AES_128_CCM_SHA256, 1 }, # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) - TLS1_3_RFC_CHACHA20_POLY1305_SHA256, - TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, + { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 }, + { TLS1_3_RFC_AES_256_GCM_SHA384 + ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 }, # endif - TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256 + { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 } }; const char *t13_cipher = NULL; const char *t12_cipher = NULL; @@ -4076,7 +4084,9 @@ static int test_tls13_ciphersuite(int idx) continue; # endif for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) { - t13_cipher = t13_ciphers[i]; + if (is_fips && !t13_ciphers[i].fipscapable) + continue; + t13_cipher = t13_ciphers[i].ciphername; if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, max_ver, @@ -4194,6 +4204,16 @@ static int test_tls13_psk(int idx) if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256"))) goto end; + } else { + /* + * As noted above the server should prefer SHA256 automatically. However + * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same + * code works even if we are testing with only the FIPS provider loaded. + */ + if (!TEST_true(SSL_CTX_set_ciphersuites(cctx, + "TLS_AES_256_GCM_SHA384:" + "TLS_AES_128_GCM_SHA256"))) + goto end; } /* @@ -4933,6 +4953,8 @@ static int test_export_key_mat(int tst) if (tst == 1) return 1; #endif + if (is_fips && (tst == 0 || tst == 1)) + return 1; #ifdef OPENSSL_NO_TLS1_2 if (tst == 2) return 1; @@ -7303,6 +7325,9 @@ int setup_tests(void) && !TEST_false(OSSL_PROVIDER_available(libctx, "default"))) return 0; + if (strcmp(modulename, "fips") == 0) + is_fips = 1; + if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) { #ifdef OPENSSL_NO_CRYPTO_MDEBUG TEST_error("not supported in this build"); -- 2.25.1