Teach ssl_test_new to have different tests for different loaded providers

We now run the tests twice: Once with no specific providers loaded and just using the default libctx, and a second time with a non-default libctx and the default provider. In the second run we disable tests which use a PSS cert/key because we don't yet have support for that. Reviewed-by: N Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)

Teach ssl_test_new to have different tests for different loaded providers
We now run the tests twice: Once with no specific providers loaded and just using the default libctx, and a second time with a non-default libctx and the default provider. In the second run we disable tests which use a PSS cert/key because we don't yet have support for that. Reviewed-by: N Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
ab5a02f7 · Matt Caswell · fea4e2bd · ab5a02f7 · ab5a02f7 · ab5a02f7
5 changed file
--- a/test/generate_ssl_tests.pl
+++ b/test/generate_ssl_tests.pl
@@ -127,17 +127,28 @@ sub print_templates {
 # Shamelessly copied from Configure.
 sub read_config {
    my $fname = shift;
+    my $provider = shift;
+    my $fips_mode = "0";
+    my $no_deflt_libctx = "0";
+
+    $fips_mode = "1" if $provider eq "fips";
+    $no_deflt_libctx = "1" if $provider eq "default" || $provider eq "fips";
+
    open(INPUT, "< $fname") or die "Can't open input file '$fname'!\n";
    local $/ = undef;
    my $content = <INPUT>;
+    $content =~ s/FIPS_MODE/$fips_mode/g;
+    $content =~ s/NO_DEFLT_LIBCTX/$no_deflt_libctx/g;
+
    close(INPUT);
    eval $content;
    warn $@ if $@;
 }

 my $input_file = shift;
+my $provider = shift;
 # Reads the tests into ssltests::tests.
-read_config($input_file);
+read_config($input_file, $provider);
 print_templates();

 1;
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -108,26 +108,30 @@ my %skip = (

 foreach my $conf (@conf_files) {
    subtest "Test configuration $conf" => sub {
+        plan tests => 6;
        test_conf($conf,
                  $conf_dependent_tests{$conf} || $^O eq "VMS" ?  0 : 1,
-                  defined($skip{$conf}) ? $skip{$conf} : $no_tls);
+                  defined($skip{$conf}) ? $skip{$conf} : $no_tls,
+                  "none");
+        test_conf($conf,
+                  0,
+                  defined($skip{$conf}) ? $skip{$conf} : $no_tls,
+                  "default");
    }
 }

 sub test_conf {
-    plan tests => 3;
-
-    my ($conf, $check_source, $skip) = @_;
+    my ($conf, $check_source, $skip, $provider) = @_;

    my $conf_file = srctop_file("test", "ssl-tests", $conf);
    my $input_file = $conf_file . ".in";
-    my $output_file = $conf;
+    my $output_file = $conf . "." . $provider;
    my $run_test = 1;

  SKIP: {
      # "Test" 1. Generate the source.
      skip 'failure', 2 unless
-        ok(run(perltest(["generate_ssl_tests.pl", $input_file],
+        ok(run(perltest(["generate_ssl_tests.pl", $input_file, $provider],
                        interpreter_args => [ "-I", srctop_dir("util", "perl")],
                        stdout => $output_file)),
           "Getting output from generate_ssl_tests.pl.");
@@ -145,7 +149,7 @@ sub test_conf {
      skip "No tests available; skipping tests", 1 if $skip;
      skip "Stale sources; skipping tests", 1 if !$run_test;

-      ok(run(test(["ssl_test", $output_file, "default"])),
+      ok(run(test(["ssl_test", $output_file, $provider])),
         "running ssl_test $conf");
    }
 }

--- a/test/ssl-tests/20-cert-select.cnf
+++ b/test/ssl-tests/20-cert-select.cnf
--- a/test/ssl-tests/20-cert-select.cnf.in
+++ b/test/ssl-tests/20-cert-select.cnf.in
@@ -41,13 +41,21 @@ my $server_pss_restrict_only = {
    "PrivateKey" => test_pem("server-pss-restrict-key.pem"),
 };

+my $server_rsa_all;

-my $server_rsa_all = {
-    "PSS.Certificate" => test_pem("server-pss-cert.pem"),
-    "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
-    "Certificate" => test_pem("servercert.pem"),
-    "PrivateKey" => test_pem("serverkey.pem"),
-};
+if (NO_DEFLT_LIBCTX) {
+    $server_rsa_all = {
+        "Certificate" => test_pem("servercert.pem"),
+        "PrivateKey" => test_pem("serverkey.pem"),
+    };
+} else {
+    $server_rsa_all = {
+        "PSS.Certificate" => test_pem("server-pss-cert.pem"),
+        "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
+        "Certificate" => test_pem("servercert.pem"),
+        "PrivateKey" => test_pem("serverkey.pem"),
+    };
+}

 our @tests = (
    {
@@ -180,19 +188,6 @@ our @tests = (
            "ExpectedResult" => "Success"
        },
    },
-    {
-        name => "RSA-PSS Certificate CipherString Selection",
-        server => $server_pss,
-        client => {
-            "CipherString" => "aRSA",
-            "MaxProtocol" => "TLSv1.2",
-        },
-        test   => {
-            "ExpectedServerCertType" =>, "RSA-PSS",
-            "ExpectedServerSignType" =>, "RSA-PSS",
-            "ExpectedResult" => "Success"
-        },
-    },
    {
        name => "P-256 CipherString and Signature Algorithm Selection",
        server => $server,
@@ -350,6 +345,108 @@ our @tests = (
            "ExpectedResult" => "Success"
        },
    },
+    {
+        name => "RSA key exchange with all RSA certificate types",
+        server => $server_rsa_all,
+        client => {
+            "CipherString" => "kRSA",
+            "MaxProtocol" => "TLSv1.2",
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "RSA",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "Suite B P-256 Hash Algorithm Selection",
+        server =>  {
+            "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
+            "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
+            "MaxProtocol" => "TLSv1.2",
+            "CipherString" => "SUITEB128"
+        },
+        client => {
+            "VerifyCAFile" => test_pem("p384-root.pem"),
+            "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
+        },
+        test   => {
+            "ExpectedServerCertType" => "P-256",
+            "ExpectedServerSignHash" => "SHA256",
+            "ExpectedServerSignType" => "EC",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "Suite B P-384 Hash Algorithm Selection",
+        server =>  {
+            "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
+            "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
+            "MaxProtocol" => "TLSv1.2",
+            "CipherString" => "SUITEB128"
+        },
+        client => {
+            "VerifyCAFile" => test_pem("p384-root.pem"),
+            "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
+        },
+        test   => {
+            "ExpectedServerCertType" => "P-384",
+            "ExpectedServerSignHash" => "SHA384",
+            "ExpectedServerSignType" => "EC",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "TLS 1.2 Ed25519 Client Auth",
+        server => {
+            "VerifyCAFile" => test_pem("root-cert.pem"),
+            "VerifyMode" => "Require"
+        },
+        client => {
+            "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
+            "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
+            "MinProtocol" => "TLSv1.2",
+            "MaxProtocol" => "TLSv1.2"
+        },
+        test   => {
+            "ExpectedClientCertType" => "Ed25519",
+            "ExpectedClientSignType" => "Ed25519",
+            "ExpectedResult" => "Success"
+        },
+    },
+    {
+        name => "TLS 1.2 Ed448 Client Auth",
+        server => {
+            "VerifyCAFile" => test_pem("root-cert.pem"),
+            "VerifyMode" => "Require"
+        },
+        client => {
+            "Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
+            "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
+            "MinProtocol" => "TLSv1.2",
+            "MaxProtocol" => "TLSv1.2"
+        },
+        test   => {
+            "ExpectedClientCertType" => "Ed448",
+            "ExpectedClientSignType" => "Ed448",
+            "ExpectedResult" => "Success"
+        },
+    },
+);
+
+my @tests_pss = (
+    {
+        name => "RSA-PSS Certificate CipherString Selection",
+        server => $server_pss,
+        client => {
+            "CipherString" => "aRSA",
+            "MaxProtocol" => "TLSv1.2",
+        },
+        test   => {
+            "ExpectedServerCertType" =>, "RSA-PSS",
+            "ExpectedServerSignType" =>, "RSA-PSS",
+            "ExpectedResult" => "Success"
+        },
+    },
    {
        name => "RSA-PSS Certificate Legacy Signature Algorithm Selection",
        server => $server_pss,
@@ -457,18 +554,6 @@ our @tests = (
            "ExpectedResult" => "ServerFail"
        },
    },
-    {
-        name => "RSA key exchange with all RSA certificate types",
-        server => $server_rsa_all,
-        client => {
-            "CipherString" => "kRSA",
-            "MaxProtocol" => "TLSv1.2",
-        },
-        test   => {
-            "ExpectedServerCertType" =>, "RSA",
-            "ExpectedResult" => "Success"
-        },
-    },
    {
        name => "RSA key exchange with only RSA-PSS certificate",
        server => $server_pss_only,
@@ -480,80 +565,6 @@ our @tests = (
            "ExpectedResult" => "ServerFail"
        },
    },
-    {
-        name => "Suite B P-256 Hash Algorithm Selection",
-        server =>  {
-            "ECDSA.Certificate" => test_pem("p256-server-cert.pem"),
-            "ECDSA.PrivateKey" => test_pem("p256-server-key.pem"),
-            "MaxProtocol" => "TLSv1.2",
-            "CipherString" => "SUITEB128"
-        },
-        client => {
-            "VerifyCAFile" => test_pem("p384-root.pem"),
-            "SignatureAlgorithms" => "ECDSA+SHA384:ECDSA+SHA256"
-        },
-        test   => {
-            "ExpectedServerCertType" => "P-256",
-            "ExpectedServerSignHash" => "SHA256",
-            "ExpectedServerSignType" => "EC",
-            "ExpectedResult" => "Success"
-        },
-    },
-    {
-        name => "Suite B P-384 Hash Algorithm Selection",
-        server =>  {
-            "ECDSA.Certificate" => test_pem("p384-server-cert.pem"),
-            "ECDSA.PrivateKey" => test_pem("p384-server-key.pem"),
-            "MaxProtocol" => "TLSv1.2",
-            "CipherString" => "SUITEB128"
-        },
-        client => {
-            "VerifyCAFile" => test_pem("p384-root.pem"),
-            "SignatureAlgorithms" => "ECDSA+SHA256:ECDSA+SHA384"
-        },
-        test   => {
-            "ExpectedServerCertType" => "P-384",
-            "ExpectedServerSignHash" => "SHA384",
-            "ExpectedServerSignType" => "EC",
-            "ExpectedResult" => "Success"
-        },
-    },
-    {
-        name => "TLS 1.2 Ed25519 Client Auth",
-        server => {
-            "VerifyCAFile" => test_pem("root-cert.pem"),
-            "VerifyMode" => "Require"
-        },
-        client => {
-            "Ed25519.Certificate" => test_pem("client-ed25519-cert.pem"),
-            "Ed25519.PrivateKey" => test_pem("client-ed25519-key.pem"),
-            "MinProtocol" => "TLSv1.2",
-            "MaxProtocol" => "TLSv1.2"
-        },
-        test   => {
-            "ExpectedClientCertType" => "Ed25519",
-            "ExpectedClientSignType" => "Ed25519",
-            "ExpectedResult" => "Success"
-        },
-    },
-    {
-        name => "TLS 1.2 Ed448 Client Auth",
-        server => {
-            "VerifyCAFile" => test_pem("root-cert.pem"),
-            "VerifyMode" => "Require"
-        },
-        client => {
-            "Ed448.Certificate" => test_pem("client-ed448-cert.pem"),
-            "Ed448.PrivateKey" => test_pem("client-ed448-key.pem"),
-            "MinProtocol" => "TLSv1.2",
-            "MaxProtocol" => "TLSv1.2"
-        },
-        test   => {
-            "ExpectedClientCertType" => "Ed448",
-            "ExpectedClientSignType" => "Ed448",
-            "ExpectedResult" => "Success"
-        },
-    },
 );

 my @tests_tls_1_1 = (
@@ -569,7 +580,10 @@ my @tests_tls_1_1 = (
    },
 );

-push @tests, @tests_tls_1_1 unless disabled("tls1_1");
+#TODO(3.0): Re-enable these PSS tests in a NO_DEFLT_LIBCTX build once we have
+#           support for it
+push @tests, @tests_pss unless NO_DEFLT_LIBCTX;
+push @tests, @tests_tls_1_1 unless disabled("tls1_1") || NO_DEFLT_LIBCTX;

 my $server_tls_1_3 = {
    "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
@@ -582,19 +596,6 @@ my $server_tls_1_3 = {
    "MaxProtocol" => "TLSv1.3"
 };

-my $server_tls_1_3_pss = {
-    "PSS.Certificate" => test_pem("server-pss-cert.pem"),
-    "PSS.PrivateKey" => test_pem("server-pss-key.pem"),
-    "ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
-    "ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
-    "Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
-    "Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
-    "Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
-    "Ed448.PrivateKey" => test_pem("server-ed449-key.pem"),
-    "MinProtocol" => "TLSv1.3",
-    "MaxProtocol" => "TLSv1.3"
-};
-
 my $client_tls_1_3 = {
    "RSA.Certificate" => test_pem("ee-client-chain.pem"),
    "RSA.PrivateKey" => test_pem("ee-key.pem"),

--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@@ -533,14 +533,16 @@ int setup_tests(void)
    if (!TEST_ptr(modulename = test_get_argument(1)))
        return 0;

-    defctxnull = OSSL_PROVIDER_load(NULL, "null");
-    libctx = OPENSSL_CTX_new();
-    if (!TEST_ptr(libctx))
-        return 0;
+    if (strcmp(modulename, "none") != 0) {
+        defctxnull = OSSL_PROVIDER_load(NULL, "null");
+        libctx = OPENSSL_CTX_new();
+        if (!TEST_ptr(libctx))
+            return 0;

-    thisprov = OSSL_PROVIDER_load(libctx, modulename);
-    if (!TEST_ptr(thisprov))
-        return 0;
+        thisprov = OSSL_PROVIDER_load(libctx, modulename);
+        if (!TEST_ptr(thisprov))
+            return 0;
+    }

    ADD_ALL_TESTS(test_handshake, (int)num_tests);
    return 1;