Skip to content

O
openssl

btwise / openssl

通知 1
Star 0
Fork 0
O
openssl

体验新版 GitCode,发现更多精彩内容 >>

提交 4f6c7044 编写于 作者: M Matt Caswell
浏览文件
操作

Re-enable FIPS testing in sslapitest.c 

Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11508)
上级 5e30f2fd
显示空白变更内容
内联 并排
Showing with 58 addition and 23 deletion
test/recipes/90-test_sslapi.t
浏览文件 @ 4f6c7044
......@@ -19,19 +19,28 @@ use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
plan tests => 2;
plan tests =>
($no_fips ? 0 : 2) # FIPS install test + sslapitest with fips
+ 1; # sslapitest with default provider
(undef, my $tmpfilename) = tempfile();
$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
ok(run(app(['openssl', 'fipsinstall',
ok(run(test(["sslapitest", srctop_dir("test", "certs"),
srctop_file("test", "recipes", "90-test_sslapi_data",
"passwd.txt"), $tmpfilename, "default",
srctop_file("test", "default.cnf")])),
"running sslapitest");
unless ($no_fips) {
ok(run(app(['openssl', 'fipsinstall',
'-out', bldtop_file('providers', 'fipsinstall.cnf'),
'-module', bldtop_file('providers', platform->dso('fips')),
'-provider_name', 'fips', '-mac_name', 'HMAC',
......@@ -39,10 +48,11 @@ ok(run(app(['openssl', 'fipsinstall',
'-section_name', 'fips_sect'])),
"fipsinstall");
ok(run(test(["sslapitest", srctop_dir("test", "certs"),
ok(run(test(["sslapitest", srctop_dir("test", "certs"),
srctop_file("test", "recipes", "90-test_sslapi_data",
"passwd.txt"), $tmpfilename, "default",
srctop_file("test", "default.cnf")])),
"passwd.txt"), $tmpfilename, "fips",
srctop_file("test", "fips.cnf")])),
"running sslapitest");
}
unlink $tmpfilename;
test/sslapitest.c
浏览文件 @ 4f6c7044
......@@ -64,6 +64,8 @@ static char *privkey = NULL;
static char *srpvfile = NULL;
static char *tmpfilename = NULL;
static int is_fips = 0;
#define LOG_BUFFER_SIZE 2048
static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
static size_t server_log_buffer_index = 0;
......@@ -3748,6 +3750,10 @@ static int test_ciphersuite_change(void)
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_ciphersuites(sctx,
"TLS_AES_128_GCM_SHA256:"
"TLS_AES_256_GCM_SHA384:"
"TLS_AES_128_CCM_SHA256"))
|| !TEST_true(SSL_CTX_set_ciphersuites(cctx,
"TLS_AES_128_GCM_SHA256"))
|| !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
......@@ -3765,12 +3771,11 @@ static int test_ciphersuite_change(void)
SSL_free(clientssl);
serverssl = clientssl = NULL;
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
/* Check we can resume a session with a different SHA-256 ciphersuite */
if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
"TLS_CHACHA20_POLY1305_SHA256"))
|| !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL))
"TLS_AES_128_CCM_SHA256"))
|| !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
&clientssl, NULL, NULL))
|| !TEST_true(SSL_set_session(clientssl, clntsess))
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE))
......@@ -3784,7 +3789,6 @@ static int test_ciphersuite_change(void)
SSL_free(serverssl);
SSL_free(clientssl);
serverssl = clientssl = NULL;
# endif
/*
* Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
......@@ -4033,15 +4037,19 @@ static int test_tls13_ciphersuite(int idx)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *serverssl = NULL, *clientssl = NULL;
static const char *t13_ciphers[] = {
TLS1_3_RFC_AES_128_GCM_SHA256,
TLS1_3_RFC_AES_256_GCM_SHA384,
TLS1_3_RFC_AES_128_CCM_SHA256,
static const struct {
const char *ciphername;
int fipscapable;
} t13_ciphers[] = {
{ TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
{ TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
{ TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
{ TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
{ TLS1_3_RFC_AES_256_GCM_SHA384
":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
# endif
TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
{ TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
};
const char *t13_cipher = NULL;
const char *t12_cipher = NULL;
......@@ -4076,7 +4084,9 @@ static int test_tls13_ciphersuite(int idx)
continue;
# endif
for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
t13_cipher = t13_ciphers[i];
if (is_fips && !t13_ciphers[i].fipscapable)
continue;
t13_cipher = t13_ciphers[i].ciphername;
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, max_ver,
......@@ -4194,6 +4204,16 @@ static int test_tls13_psk(int idx)
if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
"TLS_AES_128_GCM_SHA256")))
goto end;
} else {
/*
* As noted above the server should prefer SHA256 automatically. However
* we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
* code works even if we are testing with only the FIPS provider loaded.
*/
if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
"TLS_AES_256_GCM_SHA384:"
"TLS_AES_128_GCM_SHA256")))
goto end;
}
/*
......@@ -4933,6 +4953,8 @@ static int test_export_key_mat(int tst)
if (tst == 1)
return 1;
#endif
if (is_fips && (tst == 0 || tst == 1))
return 1;
#ifdef OPENSSL_NO_TLS1_2
if (tst == 2)
return 1;
......@@ -7303,6 +7325,9 @@ int setup_tests(void)
&& !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
return 0;
if (strcmp(modulename, "fips") == 0)
is_fips = 1;
if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
#ifdef OPENSSL_NO_CRYPTO_MDEBUG
TEST_error("not supported in this build");
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册