mirror of
https://github.com/openssl/openssl.git
synced 2024-12-15 13:03:39 +08:00
Teach ssl_test_new how to test the FIPS module
We load the FIPS module and make sure it is configured before running the ssl_test_new tests. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
This commit is contained in:
parent
ab5a02f707
commit
682bc861a9
@ -128,18 +128,13 @@ sub print_templates {
|
||||
sub read_config {
|
||||
my $fname = shift;
|
||||
my $provider = shift;
|
||||
my $fips_mode = "0";
|
||||
my $no_deflt_libctx = "0";
|
||||
|
||||
$fips_mode = "1" if $provider eq "fips";
|
||||
$no_deflt_libctx = "1" if $provider eq "default" || $provider eq "fips";
|
||||
local $ssltests::fips_mode = $provider eq "fips";
|
||||
local $ssltests::no_deflt_libctx =
|
||||
$provider eq "default" || $provider eq "fips";
|
||||
|
||||
open(INPUT, "< $fname") or die "Can't open input file '$fname'!\n";
|
||||
local $/ = undef;
|
||||
my $content = <INPUT>;
|
||||
$content =~ s/FIPS_MODE/$fips_mode/g;
|
||||
$content =~ s/NO_DEFLT_LIBCTX/$no_deflt_libctx/g;
|
||||
|
||||
close(INPUT);
|
||||
eval $content;
|
||||
warn $@ if $@;
|
||||
|
@ -13,11 +13,21 @@ use warnings;
|
||||
use File::Basename;
|
||||
use File::Compare qw/compare_text/;
|
||||
use OpenSSL::Glob;
|
||||
use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
|
||||
use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_file bldtop_dir/;
|
||||
use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/;
|
||||
|
||||
BEGIN {
|
||||
setup("test_ssl_new");
|
||||
}
|
||||
|
||||
use lib srctop_dir('Configurations');
|
||||
use lib bldtop_dir('.');
|
||||
use platform;
|
||||
|
||||
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
||||
|
||||
$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
|
||||
$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
|
||||
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
|
||||
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.cnf");
|
||||
|
||||
@ -28,7 +38,8 @@ map { s/\^// } @conf_files if $^O eq "VMS";
|
||||
|
||||
# We hard-code the number of tests to double-check that the globbing above
|
||||
# finds all files as expected.
|
||||
plan tests => 30; # = scalar @conf_srcs
|
||||
plan tests => 30 # = scalar @conf_srcs
|
||||
+ ($no_fips ? 0 : 1); # fipsinstall
|
||||
|
||||
# Some test results depend on the configuration of enabled protocols. We only
|
||||
# verify generated sources in the default configuration.
|
||||
@ -106,9 +117,19 @@ my %skip = (
|
||||
"29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"),
|
||||
);
|
||||
|
||||
unless ($no_fips) {
|
||||
ok(run(app(['openssl', 'fipsinstall',
|
||||
'-out', bldtop_file('providers', 'fipsinstall.cnf'),
|
||||
'-module', bldtop_file('providers', platform->dso('fips')),
|
||||
'-provider_name', 'fips', '-mac_name', 'HMAC',
|
||||
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
|
||||
'-section_name', 'fips_sect'])),
|
||||
"fipsinstall");
|
||||
}
|
||||
|
||||
foreach my $conf (@conf_files) {
|
||||
subtest "Test configuration $conf" => sub {
|
||||
plan tests => 6;
|
||||
plan tests => 6 + ($no_fips ? 0 : 3);
|
||||
test_conf($conf,
|
||||
$conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1,
|
||||
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
|
||||
@ -117,6 +138,10 @@ foreach my $conf (@conf_files) {
|
||||
0,
|
||||
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
|
||||
"default");
|
||||
test_conf($conf,
|
||||
0,
|
||||
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
|
||||
"fips") unless $no_fips;
|
||||
}
|
||||
}
|
||||
|
||||
@ -149,8 +174,14 @@ sub test_conf {
|
||||
skip "No tests available; skipping tests", 1 if $skip;
|
||||
skip "Stale sources; skipping tests", 1 if !$run_test;
|
||||
|
||||
ok(run(test(["ssl_test", $output_file, $provider])),
|
||||
"running ssl_test $conf");
|
||||
if ($provider eq "fips") {
|
||||
ok(run(test(["ssl_test", $output_file, $provider,
|
||||
srctop_file("test", "fips.cnf")])),
|
||||
"running ssl_test $conf");
|
||||
} else {
|
||||
ok(run(test(["ssl_test", $output_file, $provider])),
|
||||
"running ssl_test $conf");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -16,4 +16,6 @@ use warnings;
|
||||
|
||||
use protocol_version;
|
||||
|
||||
our @tests = generate_version_tests("TLS");
|
||||
our $fips_mode;
|
||||
|
||||
our @tests = generate_version_tests("TLS", $fips_mode);
|
||||
|
@ -11,12 +11,19 @@ use OpenSSL::Test;
|
||||
use OpenSSL::Test::Utils qw(anydisabled disabled);
|
||||
setup("no_test_here");
|
||||
|
||||
# We test version-flexible negotiation (undef) and each protocol version.
|
||||
my @protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
|
||||
our $fips_mode;
|
||||
|
||||
my @protocols;
|
||||
my @is_disabled = (0);
|
||||
push @is_disabled, anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "dtls1", "dtls1_2");
|
||||
|
||||
# We test version-flexible negotiation (undef) and each protocol version.
|
||||
if ($fips_mode) {
|
||||
@protocols = (undef, "TLSv1.2", "DTLSv1.2");
|
||||
} else {
|
||||
@protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "DTLSv1", "DTLSv1.2");
|
||||
}
|
||||
|
||||
our @tests = ();
|
||||
|
||||
sub generate_tests() {
|
||||
|
@ -15,6 +15,8 @@ use warnings;
|
||||
package ssltests;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
our $fips_mode;
|
||||
|
||||
our @tests = (
|
||||
{
|
||||
name => "SNI-switch-context",
|
||||
@ -166,4 +168,4 @@ our @tests_tls_1_1 = (
|
||||
},
|
||||
);
|
||||
|
||||
push @tests, @tests_tls_1_1 unless disabled("tls1_1");
|
||||
push @tests, @tests_tls_1_1 unless disabled("tls1_1") || $fips_mode;
|
||||
|
@ -16,4 +16,6 @@ use warnings;
|
||||
|
||||
use protocol_version;
|
||||
|
||||
our @tests = generate_version_tests("DTLS");
|
||||
our $fips_mode;
|
||||
|
||||
our @tests = generate_version_tests("DTLS", $fips_mode);
|
||||
|
@ -16,4 +16,6 @@ package ssltests;
|
||||
|
||||
use protocol_version;
|
||||
|
||||
our @tests = generate_resumption_tests("TLS");
|
||||
our $fips_mode;
|
||||
|
||||
our @tests = generate_resumption_tests("TLS", $fips_mode);
|
||||
|
@ -16,4 +16,6 @@ package ssltests;
|
||||
|
||||
use protocol_version;
|
||||
|
||||
our @tests = generate_resumption_tests("DTLS");
|
||||
our $fips_mode;
|
||||
|
||||
our @tests = generate_resumption_tests("DTLS", $fips_mode);
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -10,14 +10,20 @@ use warnings;
|
||||
use OpenSSL::Test;
|
||||
use OpenSSL::Test::Utils qw(anydisabled);
|
||||
|
||||
my @curves = ("sect163k1", "sect163r1", "sect163r2", "sect193r1",
|
||||
"sect193r2", "sect233k1", "sect233r1", "sect239k1",
|
||||
our $fips_mode;
|
||||
|
||||
my @curves = ("sect163k1", "sect163r2", "sect233k1", "sect233r1",
|
||||
"sect283k1", "sect283r1", "sect409k1", "sect409r1",
|
||||
"sect571k1", "sect571r1", "secp160k1", "secp160r1",
|
||||
"secp160r2", "secp192k1", "prime192v1", "secp224k1",
|
||||
"secp224r1", "secp256k1", "prime256v1", "secp384r1",
|
||||
"secp521r1", "brainpoolP256r1", "brainpoolP384r1",
|
||||
"brainpoolP512r1", "X25519", "X448");
|
||||
"sect571k1", "sect571r1", "prime192v1", "secp224r1",
|
||||
"prime256v1", "secp384r1", "secp521r1", "X25519",
|
||||
"X448");
|
||||
|
||||
my @curves_non_fips = ("sect163r1", "sect193r1", "sect193r2", "sect239k1",
|
||||
"secp160k1", "secp160r1", "secp160r2", "secp192k1",
|
||||
"secp224k1", "secp256k1", "brainpoolP256r1",
|
||||
"brainpoolP384r1", "brainpoolP512r1");
|
||||
|
||||
push @curves, @curves_non_fips if !$fips_mode;
|
||||
|
||||
our @tests = ();
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -9,15 +9,29 @@ use warnings;
|
||||
package ssltests;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
my $server = {
|
||||
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
|
||||
"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
|
||||
"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
|
||||
"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
};
|
||||
our $fips_mode;
|
||||
our $no_deflt_libctx;
|
||||
|
||||
my $server;
|
||||
|
||||
if ($fips_mode) {
|
||||
#TODO(3.0): No EdDSA support in FIPS mode at the moment
|
||||
$server = {
|
||||
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
};
|
||||
} else {
|
||||
$server = {
|
||||
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
|
||||
"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
|
||||
"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
|
||||
"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
|
||||
"MaxProtocol" => "TLSv1.2"
|
||||
};
|
||||
}
|
||||
|
||||
my $server_pss = {
|
||||
"PSS.Certificate" => test_pem("server-pss-cert.pem"),
|
||||
@ -43,7 +57,7 @@ my $server_pss_restrict_only = {
|
||||
|
||||
my $server_rsa_all;
|
||||
|
||||
if (NO_DEFLT_LIBCTX) {
|
||||
if ($no_deflt_libctx) {
|
||||
$server_rsa_all = {
|
||||
"Certificate" => test_pem("servercert.pem"),
|
||||
"PrivateKey" => test_pem("serverkey.pem"),
|
||||
@ -118,63 +132,6 @@ our @tests = (
|
||||
"ExpectedResult" => "ServerFail"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "Ed25519 CipherString and Signature Algorithm Selection",
|
||||
server => $server,
|
||||
client => {
|
||||
"CipherString" => "aECDSA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
"SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
|
||||
"RequestCAFile" => test_pem("root-cert.pem"),
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "Ed25519",
|
||||
"ExpectedServerSignType" =>, "Ed25519",
|
||||
# Note: certificate_authorities not sent for TLS < 1.3
|
||||
"ExpectedServerCANames" =>, "empty",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "Ed448 CipherString and Signature Algorithm Selection",
|
||||
server => $server,
|
||||
client => {
|
||||
"CipherString" => "aECDSA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
"SignatureAlgorithms" => "ed448:ECDSA+SHA256",
|
||||
"RequestCAFile" => test_pem("root-ed448-cert.pem"),
|
||||
"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "Ed448",
|
||||
"ExpectedServerSignType" =>, "Ed448",
|
||||
# Note: certificate_authorities not sent for TLS < 1.3
|
||||
"ExpectedServerCANames" =>, "empty",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "ECDSA with brainpool",
|
||||
server => {
|
||||
"Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
|
||||
"PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
|
||||
"Groups" => "brainpoolP256r1",
|
||||
},
|
||||
client => {
|
||||
#We don't restrict this to TLSv1.2, although use of brainpool
|
||||
#should force this anyway so that this should succeed
|
||||
"CipherString" => "aECDSA",
|
||||
"RequestCAFile" => test_pem("root-cert.pem"),
|
||||
"Groups" => "brainpoolP256r1",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "brainpoolP256r1",
|
||||
"ExpectedServerSignType" =>, "EC",
|
||||
# Note: certificate_authorities not sent for TLS < 1.3
|
||||
"ExpectedServerCANames" =>, "empty",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "RSA CipherString Selection",
|
||||
server => $server,
|
||||
@ -203,41 +160,6 @@ our @tests = (
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "Ed25519 CipherString and Curves Selection",
|
||||
server => $server,
|
||||
client => {
|
||||
"CipherString" => "aECDSA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
"SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
|
||||
# Excluding P-256 from the supported curves list means server
|
||||
# certificate should be Ed25519 and not P-256
|
||||
"Curves" => "X25519"
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "Ed25519",
|
||||
"ExpectedServerSignType" =>, "Ed25519",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "Ed448 CipherString and Curves Selection",
|
||||
server => $server,
|
||||
client => {
|
||||
"CipherString" => "aECDSA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
"SignatureAlgorithms" => "ECDSA+SHA256:ed448",
|
||||
"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
|
||||
# Excluding P-256 from the supported curves list means server
|
||||
# certificate should be Ed25519 and not P-256
|
||||
"Curves" => "X448"
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "Ed448",
|
||||
"ExpectedServerSignType" =>, "Ed448",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "ECDSA CipherString Selection, no ECDSA certificate",
|
||||
server => {
|
||||
@ -395,6 +317,102 @@ our @tests = (
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
);
|
||||
|
||||
my @tests_non_fips = (
|
||||
# TODO(3.0) No Ed25519/Ed448 in FIPS mode at the moment
|
||||
{
|
||||
name => "Ed25519 CipherString and Signature Algorithm Selection",
|
||||
server => $server,
|
||||
client => {
|
||||
"CipherString" => "aECDSA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
"SignatureAlgorithms" => "ed25519:ECDSA+SHA256",
|
||||
"RequestCAFile" => test_pem("root-cert.pem"),
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "Ed25519",
|
||||
"ExpectedServerSignType" =>, "Ed25519",
|
||||
# Note: certificate_authorities not sent for TLS < 1.3
|
||||
"ExpectedServerCANames" =>, "empty",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "Ed448 CipherString and Signature Algorithm Selection",
|
||||
server => $server,
|
||||
client => {
|
||||
"CipherString" => "aECDSA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
"SignatureAlgorithms" => "ed448:ECDSA+SHA256",
|
||||
"RequestCAFile" => test_pem("root-ed448-cert.pem"),
|
||||
"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "Ed448",
|
||||
"ExpectedServerSignType" =>, "Ed448",
|
||||
# Note: certificate_authorities not sent for TLS < 1.3
|
||||
"ExpectedServerCANames" =>, "empty",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "ECDSA with brainpool",
|
||||
server => {
|
||||
"Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"),
|
||||
"PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"),
|
||||
"Groups" => "brainpoolP256r1",
|
||||
},
|
||||
client => {
|
||||
#We don't restrict this to TLSv1.2, although use of brainpool
|
||||
#should force this anyway so that this should succeed
|
||||
"CipherString" => "aECDSA",
|
||||
"RequestCAFile" => test_pem("root-cert.pem"),
|
||||
"Groups" => "brainpoolP256r1",
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "brainpoolP256r1",
|
||||
"ExpectedServerSignType" =>, "EC",
|
||||
# Note: certificate_authorities not sent for TLS < 1.3
|
||||
"ExpectedServerCANames" =>, "empty",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "Ed25519 CipherString and Curves Selection",
|
||||
server => $server,
|
||||
client => {
|
||||
"CipherString" => "aECDSA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
"SignatureAlgorithms" => "ECDSA+SHA256:ed25519",
|
||||
# Excluding P-256 from the supported curves list means server
|
||||
# certificate should be Ed25519 and not P-256
|
||||
"Curves" => "X25519"
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "Ed25519",
|
||||
"ExpectedServerSignType" =>, "Ed25519",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "Ed448 CipherString and Curves Selection",
|
||||
server => $server,
|
||||
client => {
|
||||
"CipherString" => "aECDSA",
|
||||
"MaxProtocol" => "TLSv1.2",
|
||||
"SignatureAlgorithms" => "ECDSA+SHA256:ed448",
|
||||
"VerifyCAFile" => test_pem("root-ed448-cert.pem"),
|
||||
# Excluding P-256 from the supported curves list means server
|
||||
# certificate should be Ed25519 and not P-256
|
||||
"Curves" => "X448"
|
||||
},
|
||||
test => {
|
||||
"ExpectedServerCertType" =>, "Ed448",
|
||||
"ExpectedServerSignType" =>, "Ed448",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.2 Ed25519 Client Auth",
|
||||
server => {
|
||||
@ -580,21 +598,34 @@ my @tests_tls_1_1 = (
|
||||
},
|
||||
);
|
||||
|
||||
#TODO(3.0): Re-enable these PSS tests in a NO_DEFLT_LIBCTX build once we have
|
||||
# support for it
|
||||
push @tests, @tests_pss unless NO_DEFLT_LIBCTX;
|
||||
push @tests, @tests_tls_1_1 unless disabled("tls1_1") || NO_DEFLT_LIBCTX;
|
||||
push @tests, @tests_non_fips unless $fips_mode;
|
||||
|
||||
my $server_tls_1_3 = {
|
||||
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
|
||||
"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
|
||||
"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
|
||||
"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
|
||||
"MinProtocol" => "TLSv1.3",
|
||||
"MaxProtocol" => "TLSv1.3"
|
||||
};
|
||||
#TODO(3.0): Re-enable these PSS tests in a $no_deflt_libctx build once we have
|
||||
# support for it
|
||||
push @tests, @tests_pss unless $no_deflt_libctx;
|
||||
push @tests, @tests_tls_1_1 unless disabled("tls1_1") || $no_deflt_libctx;
|
||||
|
||||
my $server_tls_1_3;
|
||||
|
||||
if ($fips_mode) {
|
||||
$server_tls_1_3 = {
|
||||
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
"MinProtocol" => "TLSv1.3",
|
||||
"MaxProtocol" => "TLSv1.3"
|
||||
};
|
||||
} else {
|
||||
$server_tls_1_3 = {
|
||||
"ECDSA.Certificate" => test_pem("server-ecdsa-cert.pem"),
|
||||
"ECDSA.PrivateKey" => test_pem("server-ecdsa-key.pem"),
|
||||
"Ed25519.Certificate" => test_pem("server-ed25519-cert.pem"),
|
||||
"Ed25519.PrivateKey" => test_pem("server-ed25519-key.pem"),
|
||||
"Ed448.Certificate" => test_pem("server-ed448-cert.pem"),
|
||||
"Ed448.PrivateKey" => test_pem("server-ed448-key.pem"),
|
||||
"MinProtocol" => "TLSv1.3",
|
||||
"MaxProtocol" => "TLSv1.3"
|
||||
};
|
||||
}
|
||||
|
||||
my $client_tls_1_3 = {
|
||||
"RSA.Certificate" => test_pem("ee-client-chain.pem"),
|
||||
@ -713,6 +744,57 @@ my @tests_tls_1_3 = (
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
|
||||
server => {
|
||||
"ClientSignatureAlgorithms" => "PSS+SHA256",
|
||||
"VerifyCAFile" => test_pem("root-cert.pem"),
|
||||
"VerifyMode" => "Require"
|
||||
},
|
||||
client => $client_tls_1_3,
|
||||
test => {
|
||||
"ExpectedClientCertType" => "RSA",
|
||||
"ExpectedClientSignHash" => "SHA256",
|
||||
"ExpectedClientSignType" => "RSA-PSS",
|
||||
"ExpectedClientCANames" => "empty",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
|
||||
server => {
|
||||
"ClientSignatureAlgorithms" => "PSS+SHA256",
|
||||
"VerifyCAFile" => test_pem("root-cert.pem"),
|
||||
"RequestCAFile" => test_pem("root-cert.pem"),
|
||||
"VerifyMode" => "Require"
|
||||
},
|
||||
client => $client_tls_1_3,
|
||||
test => {
|
||||
"ExpectedClientCertType" => "RSA",
|
||||
"ExpectedClientSignHash" => "SHA256",
|
||||
"ExpectedClientSignType" => "RSA-PSS",
|
||||
"ExpectedClientCANames" => test_pem("root-cert.pem"),
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
|
||||
server => {
|
||||
"ClientSignatureAlgorithms" => "ECDSA+SHA256",
|
||||
"VerifyCAFile" => test_pem("root-cert.pem"),
|
||||
"VerifyMode" => "Require"
|
||||
},
|
||||
client => $client_tls_1_3,
|
||||
test => {
|
||||
"ExpectedClientCertType" => "P-256",
|
||||
"ExpectedClientSignHash" => "SHA256",
|
||||
"ExpectedClientSignType" => "EC",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
);
|
||||
|
||||
my @tests_tls_1_3_non_fips = (
|
||||
{
|
||||
name => "TLS 1.3 Ed25519 Signature Algorithm Selection",
|
||||
server => $server_tls_1_3,
|
||||
@ -770,54 +852,6 @@ my @tests_tls_1_3 = (
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection",
|
||||
server => {
|
||||
"ClientSignatureAlgorithms" => "PSS+SHA256",
|
||||
"VerifyCAFile" => test_pem("root-cert.pem"),
|
||||
"VerifyMode" => "Require"
|
||||
},
|
||||
client => $client_tls_1_3,
|
||||
test => {
|
||||
"ExpectedClientCertType" => "RSA",
|
||||
"ExpectedClientSignHash" => "SHA256",
|
||||
"ExpectedClientSignType" => "RSA-PSS",
|
||||
"ExpectedClientCANames" => "empty",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.3 RSA Client Auth Signature Algorithm Selection non-empty CA Names",
|
||||
server => {
|
||||
"ClientSignatureAlgorithms" => "PSS+SHA256",
|
||||
"VerifyCAFile" => test_pem("root-cert.pem"),
|
||||
"RequestCAFile" => test_pem("root-cert.pem"),
|
||||
"VerifyMode" => "Require"
|
||||
},
|
||||
client => $client_tls_1_3,
|
||||
test => {
|
||||
"ExpectedClientCertType" => "RSA",
|
||||
"ExpectedClientSignHash" => "SHA256",
|
||||
"ExpectedClientSignType" => "RSA-PSS",
|
||||
"ExpectedClientCANames" => test_pem("root-cert.pem"),
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.3 ECDSA Client Auth Signature Algorithm Selection",
|
||||
server => {
|
||||
"ClientSignatureAlgorithms" => "ECDSA+SHA256",
|
||||
"VerifyCAFile" => test_pem("root-cert.pem"),
|
||||
"VerifyMode" => "Require"
|
||||
},
|
||||
client => $client_tls_1_3,
|
||||
test => {
|
||||
"ExpectedClientCertType" => "P-256",
|
||||
"ExpectedClientSignHash" => "SHA256",
|
||||
"ExpectedClientSignType" => "EC",
|
||||
"ExpectedResult" => "Success"
|
||||
},
|
||||
},
|
||||
{
|
||||
name => "TLS 1.3 Ed25519 Client Auth",
|
||||
server => {
|
||||
@ -874,6 +908,7 @@ my @tests_tls_1_3 = (
|
||||
);
|
||||
|
||||
push @tests, @tests_tls_1_3 unless disabled("tls1_3");
|
||||
push @tests, @tests_tls_1_3_non_fips unless disabled("tls1_3") || $fips_mode;
|
||||
|
||||
my @tests_dsa_tls_1_2 = (
|
||||
{
|
||||
@ -929,6 +964,7 @@ my @tests_dsa_tls_1_3 = (
|
||||
);
|
||||
|
||||
if (!disabled("dsa")) {
|
||||
push @tests, @tests_dsa_tls_1_2 unless disabled("dh");
|
||||
#TODO(3.0): Temporary workaround for DH issues in FIPS. Needs investigation
|
||||
push @tests, @tests_dsa_tls_1_2 unless disabled("dh") || $fips_mode;
|
||||
push @tests, @tests_dsa_tls_1_3 unless disabled("tls1_3");
|
||||
}
|
||||
|
@ -15,6 +15,8 @@ use warnings;
|
||||
package ssltests;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
our $fips_mode;
|
||||
|
||||
our @tests = (
|
||||
{
|
||||
name => "cipher-server-1",
|
||||
@ -153,4 +155,5 @@ my @tests_poly1305 = (
|
||||
},
|
||||
);
|
||||
|
||||
push @tests, @tests_poly1305 unless disabled("poly1305") || disabled("chacha");
|
||||
push @tests, @tests_poly1305
|
||||
unless disabled("poly1305") || disabled("chacha") || $fips_mode;
|
||||
|
@ -12,6 +12,8 @@
|
||||
package ssltests;
|
||||
use OpenSSL::Test::Utils;
|
||||
|
||||
our $fips_mode;
|
||||
|
||||
our @tests = (
|
||||
{
|
||||
name => "SECLEVEL 3 with default key",
|
||||
@ -79,5 +81,6 @@ our @tests_tls1_2 = (
|
||||
},
|
||||
);
|
||||
|
||||
push @tests, @tests_ec unless disabled("ec");
|
||||
push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec");
|
||||
#TODO(3.0): No Ed448 or X25519 in FIPS mode at the moment
|
||||
push @tests, @tests_ec unless disabled("ec") || $fips_mode;
|
||||
push @tests, @tests_tls1_2 unless disabled("tls1_2") || disabled("ec")|| $fips_mode;
|
||||
|
@ -21,55 +21,82 @@ use OpenSSL::Test::Utils qw/anydisabled alldisabled disabled/;
|
||||
setup("no_test_here");
|
||||
|
||||
my @tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3");
|
||||
my @tls_protocols_fips = ("TLSv1.2", "TLSv1.3");
|
||||
# undef stands for "no limit".
|
||||
my @min_tls_protocols = (undef, "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3");
|
||||
my @min_tls_protocols_fips = (undef, "TLSv1.2", "TLSv1.3");
|
||||
my @max_tls_protocols = ("SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3", undef);
|
||||
my @max_tls_protocols_fips = ("TLSv1.2", "TLSv1.3", undef);
|
||||
|
||||
my @is_tls_disabled = anydisabled("ssl3", "tls1", "tls1_1", "tls1_2", "tls1_3");
|
||||
my @is_tls_disabled_fips = anydisabled("tls1_2", "tls1_3");
|
||||
|
||||
my $min_tls_enabled; my $max_tls_enabled;
|
||||
my $min_tls_enabled_fips; my $max_tls_enabled_fips;
|
||||
|
||||
# Protocol configuration works in cascades, i.e.,
|
||||
# $no_tls1_1 disables TLSv1.1 and below.
|
||||
#
|
||||
# $min_enabled and $max_enabled will be correct if there is at least one
|
||||
# protocol enabled.
|
||||
foreach my $i (0..$#tls_protocols) {
|
||||
if (!$is_tls_disabled[$i]) {
|
||||
$min_tls_enabled = $i;
|
||||
last;
|
||||
|
||||
sub min_prot_enabled {
|
||||
my $protref = shift;
|
||||
my $disabledref = shift;
|
||||
my @protocols = @{$protref};
|
||||
my @is_disabled = @{$disabledref};
|
||||
my $min_enabled;
|
||||
|
||||
foreach my $i (0..$#protocols) {
|
||||
if (!$is_disabled[$i]) {
|
||||
$min_enabled = $i;
|
||||
last;
|
||||
}
|
||||
}
|
||||
return $min_enabled;
|
||||
}
|
||||
|
||||
foreach my $i (0..$#tls_protocols) {
|
||||
if (!$is_tls_disabled[$i]) {
|
||||
$max_tls_enabled = $i;
|
||||
sub max_prot_enabled {
|
||||
my $protref = shift;
|
||||
my $disabledref = shift;
|
||||
my @protocols = @{$protref};
|
||||
my @is_disabled = @{$disabledref};
|
||||
my $max_enabled;
|
||||
|
||||
foreach my $i (0..$#protocols) {
|
||||
if (!$is_disabled[$i]) {
|
||||
$max_enabled = $i;
|
||||
}
|
||||
}
|
||||
return $max_enabled;
|
||||
}
|
||||
|
||||
$min_tls_enabled = min_prot_enabled(\@tls_protocols, \@is_tls_disabled);
|
||||
$max_tls_enabled = max_prot_enabled(\@tls_protocols, \@is_tls_disabled);
|
||||
$min_tls_enabled_fips = min_prot_enabled(\@tls_protocols_fips, \@is_tls_disabled_fips);
|
||||
$max_tls_enabled_fips = max_prot_enabled(\@tls_protocols_fips, \@is_tls_disabled_fips);
|
||||
|
||||
|
||||
my @dtls_protocols = ("DTLSv1", "DTLSv1.2");
|
||||
my @dtls_protocols_fips = ("DTLSv1.2");
|
||||
# undef stands for "no limit".
|
||||
my @min_dtls_protocols = (undef, "DTLSv1", "DTLSv1.2");
|
||||
my @min_dtls_protocols_fips = (undef, "DTLSv1.2");
|
||||
my @max_dtls_protocols = ("DTLSv1", "DTLSv1.2", undef);
|
||||
my @max_dtls_protocols_fips = ("DTLSv1.2", undef);
|
||||
|
||||
my @is_dtls_disabled = anydisabled("dtls1", "dtls1_2");
|
||||
my @is_dtls_disabled_fips = anydisabled("dtls1_2");
|
||||
|
||||
my $min_dtls_enabled; my $max_dtls_enabled;
|
||||
my $min_dtls_enabled_fips; my $max_dtls_enabled_fips;
|
||||
|
||||
# $min_enabled and $max_enabled will be correct if there is at least one
|
||||
# protocol enabled.
|
||||
foreach my $i (0..$#dtls_protocols) {
|
||||
if (!$is_dtls_disabled[$i]) {
|
||||
$min_dtls_enabled = $i;
|
||||
last;
|
||||
}
|
||||
}
|
||||
|
||||
foreach my $i (0..$#dtls_protocols) {
|
||||
if (!$is_dtls_disabled[$i]) {
|
||||
$max_dtls_enabled = $i;
|
||||
}
|
||||
}
|
||||
$min_dtls_enabled = min_prot_enabled(\@dtls_protocols, \@is_dtls_disabled);
|
||||
$max_dtls_enabled = max_prot_enabled(\@dtls_protocols, \@is_dtls_disabled);
|
||||
$min_dtls_enabled_fips = min_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips);
|
||||
$max_dtls_enabled_fips = max_prot_enabled(\@dtls_protocols_fips, \@is_dtls_disabled_fips);
|
||||
|
||||
sub no_tests {
|
||||
my ($dtls) = @_;
|
||||
@ -78,17 +105,31 @@ sub no_tests {
|
||||
}
|
||||
|
||||
sub generate_version_tests {
|
||||
my ($method) = @_;
|
||||
my $method = shift;
|
||||
my $fips = shift;
|
||||
|
||||
my $dtls = $method eq "DTLS";
|
||||
# Don't write the redundant "Method = TLS" into the configuration.
|
||||
undef $method if !$dtls;
|
||||
|
||||
my @protocols = $dtls ? @dtls_protocols : @tls_protocols;
|
||||
my @min_protocols = $dtls ? @min_dtls_protocols : @min_tls_protocols;
|
||||
my @max_protocols = $dtls ? @max_dtls_protocols : @max_tls_protocols;
|
||||
my $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
|
||||
my $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
|
||||
my @protocols;
|
||||
my @min_protocols;
|
||||
my @max_protocols;
|
||||
my $min_enabled;
|
||||
my $max_enabled;
|
||||
if ($fips) {
|
||||
@protocols = $dtls ? @dtls_protocols_fips : @tls_protocols_fips;
|
||||
@min_protocols = $dtls ? @min_dtls_protocols_fips : @min_tls_protocols_fips;
|
||||
@max_protocols = $dtls ? @max_dtls_protocols_fips : @max_tls_protocols_fips;
|
||||
$min_enabled = $dtls ? $min_dtls_enabled_fips : $min_tls_enabled_fips;
|
||||
$max_enabled = $dtls ? $max_dtls_enabled_fips : $max_tls_enabled_fips;
|
||||
} else {
|
||||
@protocols = $dtls ? @dtls_protocols : @tls_protocols;
|
||||
@min_protocols = $dtls ? @min_dtls_protocols : @min_tls_protocols;
|
||||
@max_protocols = $dtls ? @max_dtls_protocols : @max_tls_protocols;
|
||||
$min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
|
||||
$max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
|
||||
}
|
||||
|
||||
if (no_tests($dtls)) {
|
||||
return;
|
||||
@ -166,15 +207,26 @@ sub generate_version_tests {
|
||||
}
|
||||
|
||||
sub generate_resumption_tests {
|
||||
my ($method) = @_;
|
||||
my $method = shift;
|
||||
my $fips = shift;
|
||||
|
||||
my $dtls = $method eq "DTLS";
|
||||
# Don't write the redundant "Method = TLS" into the configuration.
|
||||
undef $method if !$dtls;
|
||||
|
||||
my @protocols = $dtls ? @dtls_protocols : @tls_protocols;
|
||||
my $min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
|
||||
my $max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
|
||||
my @protocols;
|
||||
my $min_enabled;
|
||||
my $max_enabled;
|
||||
|
||||
if ($fips) {
|
||||
@protocols = $dtls ? @dtls_protocols_fips : @tls_protocols_fips;
|
||||
$min_enabled = $dtls ? $min_dtls_enabled_fips : $min_tls_enabled_fips;
|
||||
$max_enabled = $dtls ? $max_dtls_enabled_fips : $max_tls_enabled_fips;
|
||||
} else {
|
||||
@protocols = $dtls ? @dtls_protocols : @tls_protocols;
|
||||
$min_enabled = $dtls ? $min_dtls_enabled : $min_tls_enabled;
|
||||
$max_enabled = $dtls ? $max_dtls_enabled : $max_tls_enabled;
|
||||
}
|
||||
|
||||
if (no_tests($dtls)) {
|
||||
return;
|
||||
|
@ -17,6 +17,9 @@ sub test_pem
|
||||
return "\${ENV::TEST_CERTS_DIR}" . $dir_sep . $file,
|
||||
}
|
||||
|
||||
our $fips_mode = 0;
|
||||
our $no_deflt_libctx = 0;
|
||||
|
||||
our %base_server = (
|
||||
"Certificate" => test_pem("servercert.pem"),
|
||||
"PrivateKey" => test_pem("serverkey.pem"),
|
||||
|
@ -511,7 +511,7 @@ err:
|
||||
return ret;
|
||||
}
|
||||
|
||||
OPT_TEST_DECLARE_USAGE("conf_file\n")
|
||||
OPT_TEST_DECLARE_USAGE("conf_file modulename [fips_conf_file]\n")
|
||||
|
||||
int setup_tests(void)
|
||||
{
|
||||
@ -534,11 +534,17 @@ int setup_tests(void)
|
||||
return 0;
|
||||
|
||||
if (strcmp(modulename, "none") != 0) {
|
||||
const char *configfile = test_get_argument(2);
|
||||
|
||||
defctxnull = OSSL_PROVIDER_load(NULL, "null");
|
||||
libctx = OPENSSL_CTX_new();
|
||||
if (!TEST_ptr(libctx))
|
||||
return 0;
|
||||
|
||||
if (configfile != NULL
|
||||
&& !TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
|
||||
return 0;
|
||||
|
||||
thisprov = OSSL_PROVIDER_load(libctx, modulename);
|
||||
if (!TEST_ptr(thisprov))
|
||||
return 0;
|
||||
|
Loading…
Reference in New Issue
Block a user