mirror of
https://github.com/openssl/openssl.git
synced 2024-12-15 06:01:37 +08:00
f6a296c386
The options in fipsprov.c are now generated using macros with fips_indicator_params.inc. This should keep the naming consistent. Some FIPS related headers have moved to providers/fips/include so that they can use fips_indicator_params.inc. securitycheck.h now includes fipsindicator.h, and fipsindicator.h includes fipscommon.h. fipsinstall.c uses OSSL_PROV_PARAM_ for the configurable FIPS options rather than using OSSL_PROV_FIPS_PARAM_* as this was confusing as to which one should be used. fips_names.h just uses aliases now for existing public names. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25162)
150 lines
5.5 KiB
Raku
150 lines
5.5 KiB
Raku
#! /usr/bin/env perl
|
|
# Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
# in the file LICENSE in the source distribution or at
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
use OpenSSL::Test::Utils;
|
|
use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file result_dir result_file/;
|
|
use File::Temp qw(tempfile);
|
|
|
|
BEGIN {
|
|
setup("test_sslapi");
|
|
}
|
|
|
|
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
my $fipsmodcfg_filename = "fipsmodule.cnf";
|
|
my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
|
|
|
|
my $provconf = srctop_file("test", "fips-and-base.cnf");
|
|
|
|
# A modified copy of "fipsmodule.cnf"
|
|
my $fipsmodcfgnew_filename = "fipsmodule_mod.cnf";
|
|
my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename);
|
|
|
|
# An interum modified copy of "fipsmodule.cnf"
|
|
my $fipsmodcfgtmp_filename = "fipsmodule_tmp.cnf";
|
|
my $fipsmodcfgtmp = result_file($fipsmodcfgtmp_filename);
|
|
|
|
# A modified copy of "fips-and-base.cnf"
|
|
my $provconfnew = result_file("fips-and-base-temp.cnf");
|
|
|
|
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
|
|
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
|
|
|
|
plan tests => 4;
|
|
|
|
(undef, my $tmpfilename) = tempfile();
|
|
|
|
ok(run(test(["sslapitest", srctop_dir("test", "certs"),
|
|
srctop_file("test", "recipes", "90-test_sslapi_data",
|
|
"passwd.txt"), $tmpfilename, "default",
|
|
srctop_file("test", "default.cnf"),
|
|
srctop_file("test",
|
|
"recipes",
|
|
"90-test_sslapi_data",
|
|
"dhparams.pem")])),
|
|
"running sslapitest");
|
|
|
|
SKIP: {
|
|
skip "Skipping FIPS tests", 2
|
|
if $no_fips;
|
|
|
|
# NOTE that because by default we setup fips provider in pedantic mode,
|
|
# with >= 3.1.0 this just runs test_no_ems() to check that the connection
|
|
# fails if ems is not used and the fips check is enabled.
|
|
ok(run(test(["sslapitest", srctop_dir("test", "certs"),
|
|
srctop_file("test", "recipes", "90-test_sslapi_data",
|
|
"passwd.txt"), $tmpfilename, "fips",
|
|
$provconf,
|
|
srctop_file("test",
|
|
"recipes",
|
|
"90-test_sslapi_data",
|
|
"dhparams.pem")])),
|
|
"running sslapitest with default fips config");
|
|
|
|
run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
|
|
capture => 1, statusvar => \my $exit);
|
|
|
|
skip "FIPS provider version is too old for TLS_PRF EMS option test", 1
|
|
if !$exit;
|
|
|
|
# Read in a text $infile and replace the regular expression in $srch with the
|
|
# value in $repl and output to a new file $outfile.
|
|
sub replace_line_file_internal {
|
|
|
|
my ($infile, $srch, $repl, $outfile) = @_;
|
|
my $msg;
|
|
|
|
open(my $in, "<", $infile) or return 0;
|
|
read($in, $msg, 1024);
|
|
close $in;
|
|
|
|
$msg =~ s/$srch/$repl/;
|
|
|
|
open(my $fh, ">", $outfile) or return 0;
|
|
print $fh $msg;
|
|
close $fh;
|
|
return 1;
|
|
}
|
|
|
|
# Read in the text input file $infile
|
|
# and replace a single Key = Value line with a new value in $value.
|
|
# OR remove the Key = Value line if the passed in $value is empty.
|
|
# and then output a new file $outfile.
|
|
# $key is the Key to find
|
|
sub replace_kv_file {
|
|
my ($infile, $key, $value, $outfile) = @_;
|
|
my $srch = qr/$key\s*=\s*\S*\n/;
|
|
my $rep;
|
|
if ($value eq "") {
|
|
$rep = "";
|
|
} else {
|
|
$rep = "$key = $value\n";
|
|
}
|
|
return replace_line_file_internal($infile, $srch, $rep, $outfile);
|
|
}
|
|
|
|
# Read in the text $input file
|
|
# and search for the $key and replace with $newkey
|
|
# and then output a new file $outfile.
|
|
sub replace_line_file {
|
|
my ($infile, $key, $newkey, $outfile) = @_;
|
|
my $srch = qr/$key/;
|
|
my $rep = "$newkey";
|
|
return replace_line_file_internal($infile,
|
|
$srch, $rep, $outfile);
|
|
}
|
|
|
|
# The default fipsmodule.cnf in tests is set with -pedantic.
|
|
# In order to enable the tls1-prf-ems-check=0 in a fips config file
|
|
# copy the existing fipsmodule.cnf and modify it.
|
|
# Then copy fips-and-base.cfg to make a file that includes the changed file
|
|
$ENV{OPENSSL_CONF_INCLUDE} = result_dir();
|
|
ok(replace_kv_file($fipsmodcfg,
|
|
'tls1-prf-ems-check', '0',
|
|
$fipsmodcfgtmp)
|
|
&& replace_kv_file($fipsmodcfgtmp,
|
|
'rsa-pkcs15-pad-disabled', '0',
|
|
$fipsmodcfgnew)
|
|
&& replace_line_file($provconf,
|
|
$fipsmodcfg_filename, $fipsmodcfgnew_filename,
|
|
$provconfnew)
|
|
&& run(test(["sslapitest", srctop_dir("test", "certs"),
|
|
srctop_file("test", "recipes", "90-test_sslapi_data",
|
|
"passwd.txt"),
|
|
$tmpfilename, "fips",
|
|
$provconfnew,
|
|
srctop_file("test",
|
|
"recipes",
|
|
"90-test_sslapi_data",
|
|
"dhparams.pem")])),
|
|
"running sslapitest with modified fips config");
|
|
}
|
|
|
|
ok(run(test(["ssl_handshake_rtt_test"])),"running ssl_handshake_rtt_test");
|
|
|
|
unlink $tmpfilename;
|