90-test_sslapi.t: Fix execution of sslapitest with fips provider

Default configuration of the fips provider for tests is pedantic which means that sslapitest was not fully executed with fips provider. The ems check must be switched off for full execution. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24347)
2024-12-03 06:54:50 +08:00 · 2024-05-10 14:50:46 +02:00 · 2024-05-10 14:50:46 +02:00 · d2af5e4c94
commit d2af5e4c94
parent 887572b85d
1 changed files with 15 additions and 18 deletions
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@ -7,16 +7,13 @@
 # https://www.openssl.org/source/license.html

 use OpenSSL::Test::Utils;
-use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file/;
+use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file result_dir result_file/;
 use File::Temp qw(tempfile);

 BEGIN {
 setup("test_sslapi");
 }

-use lib srctop_dir('Configurations');
-use lib bldtop_dir('.');
-
 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 my $fipsmodcfg_filename = "fipsmodule.cnf";
 my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
@ -25,10 +22,10 @@ my $provconf = srctop_file("test", "fips-and-base.cnf");

 # A modified copy of "fipsmodule.cnf"
 my $fipsmodcfgnew_filename = "fipsmodule_mod.cnf";
-my $fipsmodcfgnew = bldtop_file("test", $fipsmodcfgnew_filename);
+my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename);

 # A modified copy of "fips-and-base.cnf"
-my $provconfnew = bldtop_file("test", "temp.cnf");
+my $provconfnew = result_file("fips-and-base-temp.cnf");

 plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
    if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
@ -51,6 +48,9 @@ SKIP: {
    skip "Skipping FIPS tests", 2
        if $no_fips;

+    # NOTE that because by default we setup fips provider in pedantic mode,
+    # with >= 3.1.0 this just runs test_no_ems() to check that the connection
+    # fails if ems is not used and the fips check is enabled.
    ok(run(test(["sslapitest", srctop_dir("test", "certs"),
                 srctop_file("test", "recipes", "90-test_sslapi_data",
                             "passwd.txt"), $tmpfilename, "fips",
@ -59,7 +59,7 @@ SKIP: {
                             "recipes",
                             "90-test_sslapi_data",
                             "dhparams.pem")])),
-                 "running sslapitest");
+                 "running sslapitest with default fips config");

    run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
             capture => 1, statusvar => \my $exit);
@ -70,7 +70,7 @@ SKIP: {
    # Read in a text $infile and replace the regular expression in $srch with the
    # value in $repl and output to a new file $outfile.
    sub replace_line_file_internal {
-    
+
        my ($infile, $srch, $repl, $outfile) = @_;
        my $msg;

@ -85,7 +85,7 @@ SKIP: {
        close $fh;
        return 1;
    }
-    
+
    # Read in the text input file $infile
    # and replace a single Key = Value line with a new value in $value.
    # OR remove the Key = Value line if the passed in $value is empty.
@ -102,7 +102,7 @@ SKIP: {
        }
        return replace_line_file_internal($infile, $srch, $rep, $outfile);
    }
-    
+
    # Read in the text $input file
    # and search for the $key and replace with $newkey
    # and then output a new file $outfile.
@ -114,13 +114,13 @@ SKIP: {
                                          $srch, $rep, $outfile);
    }

-    # In order to enable the tls1-prf-ems-check=1 in a fips config file
+    # The default fipsmodule.cnf in tests is set with -pedantic.
+    # In order to enable the tls1-prf-ems-check=0 in a fips config file
    # copy the existing fipsmodule.cnf and modify it.
    # Then copy fips-and-base.cfg to make a file that includes the changed file
-    # NOTE that this just runs test_no_ems() to check that the connection
-    # fails if ems is not used and the fips check is enabled.
+    $ENV{OPENSSL_CONF_INCLUDE} = result_dir();
    ok(replace_kv_file($fipsmodcfg,
-                       'tls1-prf-ems-check', '1',
+                       'tls1-prf-ems-check', '0',
                       $fipsmodcfgnew)
       && replace_line_file($provconf,
                            $fipsmodcfg_filename, $fipsmodcfgnew_filename,
@ -134,10 +134,7 @@ SKIP: {
                                "recipes",
                                "90-test_sslapi_data",
                                "dhparams.pem")])),
-       "running sslapitest");
-
-    unlink $fipsmodcfgnew;
-    unlink $provconfnew;
+       "running sslapitest with modified fips config");
 }

 ok(run(test(["ssl_handshake_rtt_test"])),"running ssl_handshake_rtt_test");