mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-12-15 13:03:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

Teach ssl_test_new how to test the FIPS module

Browse Source 
We load the FIPS module and make sure it is configured before running
the ssl_test_new tests.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11511)
This commit is contained in:
Matt Caswell 2020-04-07 17:03:19 +01:00
parent ab5a02f707
commit 682bc861a9
17 changed files with 1251 additions and 1099 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
test/generate_ssl_tests.pl
View File

@ -128,18 +128,13 @@ sub print_templates {
sub read_config {
my $fname = shift;
my $provider = shift;
my $fips_mode = "0";
my $no_deflt_libctx = "0";
$fips_mode = "1" if $provider eq "fips";
$no_deflt_libctx = "1" if $provider eq "default" || $provider eq "fips";
local $ssltests::fips_mode = $provider eq "fips";
local $ssltests::no_deflt_libctx =
$provider eq "default" || $provider eq "fips";
open(INPUT, "< $fname") or die "Can't open input file '$fname'!\n";
local $/ = undef;
my $content = <INPUT>;
$content =~ s/FIPS_MODE/$fips_mode/g;
$content =~ s/NO_DEFLT_LIBCTX/$no_deflt_libctx/g;
close(INPUT);
eval $content;
warn $@ if $@;

41
test/recipes/80-test_ssl_new.t
View File

@ -13,11 +13,21 @@ use warnings;
use File::Basename;
use File::Compare qw/compare_text/;
use OpenSSL::Glob;
use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_file bldtop_dir/;
use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/;
BEGIN {
setup("test_ssl_new");
}
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.cnf");
@ -28,7 +38,8 @@ map { s/\^// } @conf_files if $^O eq "VMS";
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
plan tests => 30; # = scalar @conf_srcs
plan tests => 30 # = scalar @conf_srcs
+ ($no_fips ? 0 : 1); # fipsinstall
# Some test results depend on the configuration of enabled protocols. We only
# verify generated sources in the default configuration.
@ -106,9 +117,19 @@ my %skip = (
"29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"),
);
unless ($no_fips) {
ok(run(app(['openssl', 'fipsinstall',
'-out', bldtop_file('providers', 'fipsinstall.cnf'),
'-module', bldtop_file('providers', platform->dso('fips')),
'-provider_name', 'fips', '-mac_name', 'HMAC',
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
'-section_name', 'fips_sect'])),
"fipsinstall");
}
foreach my $conf (@conf_files) {
subtest "Test configuration $conf" => sub {
plan tests => 6;
plan tests => 6 + ($no_fips ? 0 : 3);
test_conf($conf,
$conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1,
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
@ -117,6 +138,10 @@ foreach my $conf (@conf_files) {
0,
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
"default");
test_conf($conf,
0,
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
"fips") unless $no_fips;
}
}
@ -149,8 +174,14 @@ sub test_conf {
skip "No tests available; skipping tests", 1 if $skip;
skip "Stale sources; skipping tests", 1 if !$run_test;
ok(run(test(["ssl_test", $output_file, $provider])),
"running ssl_test $conf");
if ($provider eq "fips") {
ok(run(test(["ssl_test", $output_file, $provider,
srctop_file("test", "fips.cnf")])),
"running ssl_test $conf");
} else {
ok(run(test(["ssl_test", $output_file, $provider])),
"running ssl_test $conf");
}
}
}

4
test/ssl-tests/02-protocol-version.cnf.in
View File

@ -16,4 +16,6 @@ use warnings;
use protocol_version;
our @tests = generate_version_tests("TLS");
our $fips_mode;
our @tests = generate_version_tests("TLS", $fips_mode);

11
test/ssl-tests/04-client_auth.cnf.in
View File

@ -11,12 +11,19 @@ use OpenSSL::Test;
use OpenSSL::Test::Utils qw(anydisabled disabled);
setup("no_test_here");
# We test version-flexible negotiation (undef) and each protocol version.
my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
our $fips_mode;
my @protocols;
my @is_disabled = (0);
push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
# We test version-flexible negotiation (undef) and each protocol version.
if ($fips_mode) {
@protocols = (undef, "TLSv1.2", "DTLSv1.2");
} else {
@protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
}
our @tests = ();
sub generate_tests() {

4
test/ssl-tests/05-sni.cnf.in
View File

@ -15,6 +15,8 @@ use warnings;
package ssltests;
use OpenSSL::Test::Utils;
our $fips_mode;
our @tests = (
{
name => "SNI-switch-context",
@ -166,4 +168,4 @@ our @tests_tls_1_1 = (
},
);
push @tests, @tests_tls_1_1 unless disabled("tls1_1");
push @tests, @tests_tls_1_1 unless disabled("tls1_1") || $fips_mode;

4
test/ssl-tests/07-dtls-protocol-version.cnf.in
View File

@ -16,4 +16,6 @@ use warnings;
use protocol_version;
our @tests = generate_version_tests("DTLS");
our $fips_mode;
our @tests = generate_version_tests("DTLS", $fips_mode);

4
test/ssl-tests/10-resumption.cnf.in
View File

@ -16,4 +16,6 @@ package ssltests;
use protocol_version;
our @tests = generate_resumption_tests("TLS");
our $fips_mode;
our @tests = generate_resumption_tests("TLS", $fips_mode);

4
test/ssl-tests/11-dtls_resumption.cnf.in
View File

@ -16,4 +16,6 @@ package ssltests;
use protocol_version;
our @tests = generate_resumption_tests("DTLS");
our $fips_mode;
our @tests = generate_resumption_tests("DTLS", $fips_mode);

638
test/ssl-tests/14-curves.cnf
View File

File diff suppressed because it is too large Load Diff

20
test/ssl-tests/14-curves.cnf.in
View File

@ -10,14 +10,20 @@ use warnings;
use OpenSSL::Test;
use OpenSSL::Test::Utils qw(anydisabled);
my @curves = ("sect163k1", "sect163r1", "sect163r2", "sect193r1",
"sect193r2", "sect233k1", "sect233r1", "sect239k1",
our $fips_mode;
my @curves = ("sect163k1", "sect163r2", "sect233k1", "sect233r1",
"sect283k1", "sect283r1", "sect409k1", "sect409r1",
"sect571k1", "sect571r1", "secp160k1", "secp160r1",
"secp160r2", "secp192k1", "prime192v1", "secp224k1",
"secp224r1", "secp256k1", "prime256v1", "secp384r1",
"secp521r1", "brainpoolP256r1", "brainpoolP384r1",
"brainpoolP512r1", "X25519", "X448");
"sect571k1", "sect571r1", "prime192v1", "secp224r1",
"prime256v1", "secp384r1", "secp521r1", "X25519",
"X448");
my @curves_non_fips = ("sect163r1", "sect193r1", "sect193r2", "sect239k1",
"secp160k1", "secp160r1", "secp160r2", "secp192k1",
"secp224k1", "secp256k1", "brainpoolP256r1",
"brainpoolP384r1", "brainpoolP512r1");
push @curves, @curves_non_fips if !$fips_mode;
our @tests = ();

1110
test/ssl-tests/20-cert-select.cnf
View File

File diff suppressed because it is too large Load Diff

366
test/ssl-tests/20-cert-select.cnf.in
View File

@ -9,15 +9,29 @@ use warnings;
package ssltests;
use OpenSSL::Test::Utils;
my $server = {
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
"MaxProtocol" => "TLSv1.2"
};
our $fips_mode;
our $no_deflt_libctx;
my $server;
if ($fips_mode) {
#TODO(3.0): No EdDSA support in FIPS mode at the moment
$server = {
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
"MaxProtocol" => "TLSv1.2"
};
} else {
$server = {
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
"MaxProtocol" => "TLSv1.2"
};
}
my $server_pss = {
"PSS.Certificate" => test_pem("server-pss-cert.pem"),
@ -43,7 +57,7 @@ my $server_pss_restrict_only = {
my $server_rsa_all;
if (NO_DEFLT_LIBCTX) {
if ($no_deflt_libctx) {
$server_rsa_all = {
"Certificate" => test_pem("servercert.pem"),
"PrivateKey" => test_pem("serverkey.pem"),
@ -118,63 +132,6 @@ our @tests = (
"ExpectedResult" => "ServerFail"
},
},
{
name => "Ed25519 CipherString and Signature Algorithm Selection",
server => $server,
client => {
"CipherString" => "aECDSA",
"MaxProtocol" => "TLSv1.2",
"SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
"RequestCAFile" => test_pem("root-cert.pem"),
},
test => {
"ExpectedServerCertType" =>, "Ed25519",
"ExpectedServerSignType" =>, "Ed25519",
# Note: certificate_authorities not sent for TLS < 1.3
"ExpectedServerCANames" =>, "empty",
"ExpectedResult" => "Success"
},
},
{
name => "Ed448 CipherString and Signature Algorithm Selection",
server => $server,
client => {
"CipherString" => "aECDSA",
"MaxProtocol" => "TLSv1.2",
"SignatureAlgorithms" => "ed448:ECDSA+SHA256",
"RequestCAFile" => test_pem("root-ed448-cert.pem"),
"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
},
test => {
"ExpectedServerCertType" =>, "Ed448",
"ExpectedServerSignType" =>, "Ed448",
# Note: certificate_authorities not sent for TLS < 1.3
"ExpectedServerCANames" =>, "empty",
"ExpectedResult" => "Success"
},
},
{
name => "ECDSA with brainpool",
server => {
"Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
"PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
"Groups" => "brainpoolP256r1",
},
client => {
#We don't restrict this to TLSv1.2, although use of brainpool
#should force this anyway so that this should succeed
"CipherString" => "aECDSA",
"RequestCAFile" => test_pem("root-cert.pem"),
"Groups" => "brainpoolP256r1",
},
test => {
"ExpectedServerCertType" =>, "brainpoolP256r1",
"ExpectedServerSignType" =>, "EC",
# Note: certificate_authorities not sent for TLS < 1.3
"ExpectedServerCANames" =>, "empty",
"ExpectedResult" => "Success"
},
},
{
name => "RSA CipherString Selection",
server => $server,
@ -203,41 +160,6 @@ our @tests = (
"ExpectedResult" => "Success"
},
},
{
name => "Ed25519 CipherString and Curves Selection",
server => $server,
client => {
"CipherString" => "aECDSA",
"MaxProtocol" => "TLSv1.2",
"SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
# Excluding P-256 from the supported curves list means server
# certificate should be Ed25519 and not P-256
"Curves" => "X25519"
},
test => {
"ExpectedServerCertType" =>, "Ed25519",
"ExpectedServerSignType" =>, "Ed25519",
"ExpectedResult" => "Success"
},
},
{
name => "Ed448 CipherString and Curves Selection",
server => $server,
client => {
"CipherString" => "aECDSA",
"MaxProtocol" => "TLSv1.2",
"SignatureAlgorithms" => "ECDSA+SHA256:ed448",
"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
# Excluding P-256 from the supported curves list means server
# certificate should be Ed25519 and not P-256
"Curves" => "X448"
},
test => {
"ExpectedServerCertType" =>, "Ed448",
"ExpectedServerSignType" =>, "Ed448",
"ExpectedResult" => "Success"
},
},
{
name => "ECDSA CipherString Selection, no ECDSA certificate",
server => {
@ -395,6 +317,102 @@ our @tests = (
"ExpectedResult" => "Success"
},
},
);
my @tests_non_fips = (
# TODO(3.0) No Ed25519/Ed448 in FIPS mode at the moment
{
name => "Ed25519 CipherString and Signature Algorithm Selection",
server => $server,
client => {
"CipherString" => "aECDSA",
"MaxProtocol" => "TLSv1.2",
"SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
"RequestCAFile" => test_pem("root-cert.pem"),
},
test => {
"ExpectedServerCertType" =>, "Ed25519",
"ExpectedServerSignType" =>, "Ed25519",
# Note: certificate_authorities not sent for TLS < 1.3
"ExpectedServerCANames" =>, "empty",
"ExpectedResult" => "Success"
},
},
{
name => "Ed448 CipherString and Signature Algorithm Selection",
server => $server,
client => {
"CipherString" => "aECDSA",
"MaxProtocol" => "TLSv1.2",
"SignatureAlgorithms" => "ed448:ECDSA+SHA256",
"RequestCAFile" => test_pem("root-ed448-cert.pem"),
"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
},
test => {
"ExpectedServerCertType" =>, "Ed448",
"ExpectedServerSignType" =>, "Ed448",
# Note: certificate_authorities not sent for TLS < 1.3
"ExpectedServerCANames" =>, "empty",
"ExpectedResult" => "Success"
},
},
{
name => "ECDSA with brainpool",
server => {
"Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
"PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
"Groups" => "brainpoolP256r1",
},
client => {
#We don't restrict this to TLSv1.2, although use of brainpool
#should force this anyway so that this should succeed
"CipherString" => "aECDSA",
"RequestCAFile" => test_pem("root-cert.pem"),
"Groups" => "brainpoolP256r1",
},
test => {
"ExpectedServerCertType" =>, "brainpoolP256r1",
"ExpectedServerSignType" =>, "EC",
# Note: certificate_authorities not sent for TLS < 1.3
"ExpectedServerCANames" =>, "empty",
"ExpectedResult" => "Success"
},
},
{
name => "Ed25519 CipherString and Curves Selection",
server => $server,
client => {
"CipherString" => "aECDSA",
"MaxProtocol" => "TLSv1.2",
"SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
# Excluding P-256 from the supported curves list means server
# certificate should be Ed25519 and not P-256
"Curves" => "X25519"
},
test => {
"ExpectedServerCertType" =>, "Ed25519",
"ExpectedServerSignType" =>, "Ed25519",
"ExpectedResult" => "Success"
},
},
{
name => "Ed448 CipherString and Curves Selection",
server => $server,
client => {
"CipherString" => "aECDSA",
"MaxProtocol" => "TLSv1.2",
"SignatureAlgorithms" => "ECDSA+SHA256:ed448",
"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
# Excluding P-256 from the supported curves list means server
# certificate should be Ed25519 and not P-256
"Curves" => "X448"
},
test => {
"ExpectedServerCertType" =>, "Ed448",
"ExpectedServerSignType" =>, "Ed448",
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.2 Ed25519 Client Auth",
server => {
@ -580,21 +598,34 @@ my @tests_tls_1_1 = (
},
);
#TODO(3.0): Re-enable these PSS tests in a NO_DEFLT_LIBCTX build once we have
# support for it
push @tests, @tests_pss unless NO_DEFLT_LIBCTX;
push @tests, @tests_tls_1_1 unless disabled("tls1_1") || NO_DEFLT_LIBCTX;
push @tests, @tests_non_fips unless $fips_mode;
my $server_tls_1_3 = {
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3"
};
#TODO(3.0): Re-enable these PSS tests in a $no_deflt_libctx build once we have
# support for it
push @tests, @tests_pss unless $no_deflt_libctx;
push @tests, @tests_tls_1_1 unless disabled("tls1_1") || $no_deflt_libctx;
my $server_tls_1_3;
if ($fips_mode) {
$server_tls_1_3 = {
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3"
};
} else {
$server_tls_1_3 = {
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
"MinProtocol" => "TLSv1.3",
"MaxProtocol" => "TLSv1.3"
};
}
my $client_tls_1_3 = {
"RSA.Certificate" => test_pem("ee-client-chain.pem"),
@ -713,6 +744,57 @@ my @tests_tls_1_3 = (
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
server => {
"ClientSignatureAlgorithms" => "PSS+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require"
},
client => $client_tls_1_3,
test => {
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientSignType" => "RSA-PSS",
"ExpectedClientCANames" => "empty",
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
server => {
"ClientSignatureAlgorithms" => "PSS+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
"RequestCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require"
},
client => $client_tls_1_3,
test => {
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientSignType" => "RSA-PSS",
"ExpectedClientCANames" => test_pem("root-cert.pem"),
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
server => {
"ClientSignatureAlgorithms" => "ECDSA+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require"
},
client => $client_tls_1_3,
test => {
"ExpectedClientCertType" => "P-256",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientSignType" => "EC",
"ExpectedResult" => "Success"
},
},
);
my @tests_tls_1_3_non_fips = (
{
name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
server => $server_tls_1_3,
@ -770,54 +852,6 @@ my @tests_tls_1_3 = (
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
server => {
"ClientSignatureAlgorithms" => "PSS+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require"
},
client => $client_tls_1_3,
test => {
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientSignType" => "RSA-PSS",
"ExpectedClientCANames" => "empty",
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
server => {
"ClientSignatureAlgorithms" => "PSS+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
"RequestCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require"
},
client => $client_tls_1_3,
test => {
"ExpectedClientCertType" => "RSA",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientSignType" => "RSA-PSS",
"ExpectedClientCANames" => test_pem("root-cert.pem"),
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
server => {
"ClientSignatureAlgorithms" => "ECDSA+SHA256",
"VerifyCAFile" => test_pem("root-cert.pem"),
"VerifyMode" => "Require"
},
client => $client_tls_1_3,
test => {
"ExpectedClientCertType" => "P-256",
"ExpectedClientSignHash" => "SHA256",
"ExpectedClientSignType" => "EC",
"ExpectedResult" => "Success"
},
},
{
name => "TLS 1.3 Ed25519 Client Auth",
server => {
@ -874,6 +908,7 @@ my @tests_tls_1_3 = (
);
push @tests, @tests_tls_1_3 unless disabled("tls1_3");
push @tests, @tests_tls_1_3_non_fips unless disabled("tls1_3") || $fips_mode;
my @tests_dsa_tls_1_2 = (
{
@ -929,6 +964,7 @@ my @tests_dsa_tls_1_3 = (
);
if (!disabled("dsa")) {
push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
#TODO(3.0): Temporary workaround for DH issues in FIPS. Needs investigation
push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode;
push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
}

5
test/ssl-tests/25-cipher.cnf.in
View File

@ -15,6 +15,8 @@ use warnings;
package ssltests;
use OpenSSL::Test::Utils;
our $fips_mode;
our @tests = (
{
name => "cipher-server-1",
@ -153,4 +155,5 @@ my @tests_poly1305 = (
},
);
push @tests, @tests_poly1305 unless disabled("poly1305") || disabled("chacha");
push @tests, @tests_poly1305
unless disabled("poly1305") || disabled("chacha") || $fips_mode;

7
test/ssl-tests/28-seclevel.cnf.in
View File

@ -12,6 +12,8 @@
package ssltests;
use OpenSSL::Test::Utils;
our $fips_mode;
our @tests = (
{
name => "SECLEVEL 3 with default key",
@ -79,5 +81,6 @@ our @tests_tls1_2 = (
},
);
push @tests, @tests_ec unless disabled("ec");
push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
#TODO(3.0): No Ed448 or X25519 in FIPS mode at the moment
push @tests, @tests_ec unless disabled("ec") || $fips_mode;
push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec")|| $fips_mode;

110
test/ssl-tests/protocol_version.pm
View File

@ -21,55 +21,82 @@ use OpenSSL::Test::Utils qw/anydisabled alldisabled disabled/;
setup("no_test_here");
my @tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3");
my @tls_protocols_fips = ("TLSv1.2", "TLSv1.3");
# undef stands for "no limit".
my @min_tls_protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3");
my @min_tls_protocols_fips = (undef, "TLSv1.2", "TLSv1.3");
my @max_tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3", undef);
my @max_tls_protocols_fips = ("TLSv1.2", "TLSv1.3", undef);
my @is_tls_disabled = anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3");
my @is_tls_disabled_fips = anydisabled("tls1_2", "tls1_3");
my $min_tls_enabled; my $max_tls_enabled;
my $min_tls_enabled_fips; my $max_tls_enabled_fips;
# Protocol configuration works in cascades, i.e.,
# $no_tls1_1 disables TLSv1.1 and below.
#
# $min_enabled and $max_enabled will be correct if there is at least one
# protocol enabled.
foreach my $i (0..$#tls_protocols) {
if (!$is_tls_disabled[$i]) {
$min_tls_enabled = $i;
last;
sub min_prot_enabled {
my $protref = shift;
my $disabledref = shift;
my @protocols = @{$protref};
my @is_disabled = @{$disabledref};
my $min_enabled;
foreach my $i (0..$#protocols) {
if (!$is_disabled[$i]) {
$min_enabled = $i;
last;
}
}
return $min_enabled;
}
foreach my $i (0..$#tls_protocols) {
if (!$is_tls_disabled[$i]) {
$max_tls_enabled = $i;
sub max_prot_enabled {
my $protref = shift;
my $disabledref = shift;
my @protocols = @{$protref};
my @is_disabled = @{$disabledref};
my $max_enabled;
foreach my $i (0..$#protocols) {
if (!$is_disabled[$i]) {
$max_enabled = $i;
}
}
return $max_enabled;
}
$min_tls_enabled = min_prot_enabled(\@tls_protocols, \@is_tls_disabled);
$max_tls_enabled = max_prot_enabled(\@tls_protocols, \@is_tls_disabled);
$min_tls_enabled_fips = min_prot_enabled(\@tls_protocols_fips, \@is_tls_disabled_fips);
$max_tls_enabled_fips = max_prot_enabled(\@tls_protocols_fips, \@is_tls_disabled_fips);
my @dtls_protocols = ("DTLSv1", "DTLSv1.2");
my @dtls_protocols_fips = ("DTLSv1.2");
# undef stands for "no limit".
my @min_dtls_protocols = (undef, "DTLSv1", "DTLSv1.2");
my @min_dtls_protocols_fips = (undef, "DTLSv1.2");
my @max_dtls_protocols = ("DTLSv1", "DTLSv1.2", undef);
my @max_dtls_protocols_fips = ("DTLSv1.2", undef);
my @is_dtls_disabled = anydisabled("dtls1", "dtls1_2");
my @is_dtls_disabled_fips = anydisabled("dtls1_2");
my $min_dtls_enabled; my $max_dtls_enabled;
my $min_dtls_enabled_fips; my $max_dtls_enabled_fips;
# $min_enabled and $max_enabled will be correct if there is at least one
# protocol enabled.
foreach my $i (0..$#dtls_protocols) {
if (!$is_dtls_disabled[$i]) {
$min_dtls_enabled = $i;
last;
}
}
foreach my $i (0..$#dtls_protocols) {
if (!$is_dtls_disabled[$i]) {
$max_dtls_enabled = $i;
}
}
$min_dtls_enabled = min_prot_enabled(\@dtls_protocols, \@is_dtls_disabled);
$max_dtls_enabled = max_prot_enabled(\@dtls_protocols, \@is_dtls_disabled);
$min_dtls_enabled_fips = min_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips);
$max_dtls_enabled_fips = max_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips);
sub no_tests {
my ($dtls) = @_;
@ -78,17 +105,31 @@ sub no_tests {
}
sub generate_version_tests {
my ($method) = @_;
my $method = shift;
my $fips = shift;
my $dtls = $method eq "DTLS";
# Don't write the redundant "Method = TLS" into the configuration.
undef $method if !$dtls;
my @protocols = $dtls ? @dtls_protocols : @tls_protocols;
my @min_protocols = $dtls ? @min_dtls_protocols : @min_tls_protocols;
my @max_protocols = $dtls ? @max_dtls_protocols : @max_tls_protocols;
my $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
my $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
my @protocols;
my @min_protocols;
my @max_protocols;
my $min_enabled;
my $max_enabled;
if ($fips) {
@protocols = $dtls ? @dtls_protocols_fips : @tls_protocols_fips;
@min_protocols = $dtls ? @min_dtls_protocols_fips : @min_tls_protocols_fips;
@max_protocols = $dtls ? @max_dtls_protocols_fips : @max_tls_protocols_fips;
$min_enabled = $dtls ? $min_dtls_enabled_fips : $min_tls_enabled_fips;
$max_enabled = $dtls ? $max_dtls_enabled_fips : $max_tls_enabled_fips;
} else {
@protocols = $dtls ? @dtls_protocols : @tls_protocols;
@min_protocols = $dtls ? @min_dtls_protocols : @min_tls_protocols;
@max_protocols = $dtls ? @max_dtls_protocols : @max_tls_protocols;
$min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
$max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
}
if (no_tests($dtls)) {
return;
@ -166,15 +207,26 @@ sub generate_version_tests {
}
sub generate_resumption_tests {
my ($method) = @_;
my $method = shift;
my $fips = shift;
my $dtls = $method eq "DTLS";
# Don't write the redundant "Method = TLS" into the configuration.
undef $method if !$dtls;
my @protocols = $dtls ? @dtls_protocols : @tls_protocols;
my $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
my $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
my @protocols;
my $min_enabled;
my $max_enabled;
if ($fips) {
@protocols = $dtls ? @dtls_protocols_fips : @tls_protocols_fips;
$min_enabled = $dtls ? $min_dtls_enabled_fips : $min_tls_enabled_fips;
$max_enabled = $dtls ? $max_dtls_enabled_fips : $max_tls_enabled_fips;
} else {
@protocols = $dtls ? @dtls_protocols : @tls_protocols;
$min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
$max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
}
if (no_tests($dtls)) {
return;

3
test/ssl-tests/ssltests_base.pm
View File

@ -17,6 +17,9 @@ sub test_pem
return "\${ENV::TEST_CERTS_DIR}" . $dir_sep . $file,
}
our $fips_mode = 0;
our $no_deflt_libctx = 0;
our %base_server = (
"Certificate" => test_pem("servercert.pem"),
"PrivateKey" => test_pem("serverkey.pem"),

8
test/ssl_test.c
View File

@ -511,7 +511,7 @@ err:
return ret;
}
OPT_TEST_DECLARE_USAGE("conf_file\n")
OPT_TEST_DECLARE_USAGE("conf_file modulename [fips_conf_file]\n")
int setup_tests(void)
{
@ -534,11 +534,17 @@ int setup_tests(void)
return 0;
if (strcmp(modulename, "none") != 0) {
const char *configfile = test_get_argument(2);
defctxnull = OSSL_PROVIDER_load(NULL, "null");
libctx = OPENSSL_CTX_new();
if (!TEST_ptr(libctx))
return 0;
if (configfile != NULL
&& !TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
return 0;
thisprov = OSSL_PROVIDER_load(libctx, modulename);
if (!TEST_ptr(thisprov))
return 0;