openssl/test/recipes/80-test_ssl_new.t
slontis 85caa417e0 Disable DSA signing in the FIPS provider.
This is a FIPS 140-3 requirement.
This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0,
OR OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK is set to 0 in the dsa signing context.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24799)
2024-07-26 09:24:04 +10:00

208 lines
8.2 KiB
Perl

#! /usr/bin/env perl
# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
# For manually running these tests, set specific environment variables like this:
# CTLOG_FILE=test/ct/log_list.cnf
# TEST_CERTS_DIR=test/certs
# For details on the environment variables needed, see test/README.ssltest.md
use strict;
use warnings;
use File::Basename;
use File::Compare qw/compare_text/;
use OpenSSL::Glob;
use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_file bldtop_dir/;
use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/;
BEGIN {
setup("test_ssl_new");
}
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
my $dsaallow = '1';
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
my @conf_srcs = ();
if (defined $ENV{SSL_TESTS}) {
my @conf_list = split(' ', $ENV{SSL_TESTS});
foreach my $conf_file (@conf_list) {
push (@conf_srcs, glob(srctop_file("test", "ssl-tests", $conf_file)));
}
plan tests => scalar @conf_srcs;
} else {
@conf_srcs = glob(srctop_file("test", "ssl-tests", "*.cnf.in"));
# We hard-code the number of tests to double-check that the globbing above
# finds all files as expected.
plan tests => 31;
}
map { s/;.*// } @conf_srcs if $^O eq "VMS";
my @conf_files = map { basename($_, ".in") } @conf_srcs;
map { s/\^// } @conf_files if $^O eq "VMS";
unless ($no_fips) {
my $provconf = srctop_file("test", "fips-and-base.cnf");
run(test(["fips_version_test", "-config", $provconf, "<3.4.0"]),
capture => 1, statusvar => \$dsaallow);
}
# Some test results depend on the configuration of enabled protocols. We only
# verify generated sources in the default configuration.
my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
!disabled("tls1_1") && !disabled("tls1_2") &&
!disabled("tls1_3") && (!disabled("ec") || !disabled("dh")));
my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2");
my $no_tls = alldisabled(available_protocols("tls"));
my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3"));
if (!$no_tls && $no_tls_below1_3 && disabled("ec") && disabled("dh")) {
$no_tls = 1;
}
my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3);
my $no_dtls = alldisabled(available_protocols("dtls"));
my $no_npn = disabled("nextprotoneg");
my $no_ct = disabled("ct");
my $no_ec = disabled("ec");
my $no_ecx = disabled("ecx");
my $no_dh = disabled("dh");
my $no_dsa = disabled("dsa");
my $no_ec2m = disabled("ec2m");
my $no_ocsp = disabled("ocsp");
# Add your test here if the test conf.in generates test cases and/or
# expectations dynamically based on the OpenSSL compile-time config.
my %conf_dependent_tests = (
"02-protocol-version.cnf" => !$is_default_tls,
"04-client_auth.cnf" => !$is_default_tls || !$is_default_dtls
|| !disabled("sctp"),
"05-sni.cnf" => disabled("tls1_1"),
"07-dtls-protocol-version.cnf" => !$is_default_dtls || !disabled("sctp"),
"10-resumption.cnf" => !$is_default_tls || $no_ec,
"11-dtls_resumption.cnf" => !$is_default_dtls || !disabled("sctp"),
"16-dtls-certstatus.cnf" => !$is_default_dtls || !disabled("sctp"),
"17-renegotiate.cnf" => disabled("tls1_2"),
"18-dtls-renegotiate.cnf" => disabled("dtls1_2") || !disabled("sctp"),
"19-mac-then-encrypt.cnf" => !$is_default_tls,
"20-cert-select.cnf" => !$is_default_tls || $no_dh || $no_dsa,
"22-compression.cnf" => !$is_default_tls,
"25-cipher.cnf" => disabled("poly1305") || disabled("chacha"),
"27-ticket-appdata.cnf" => !$is_default_tls,
"28-seclevel.cnf" => disabled("tls1_2") || $no_ecx,
"30-extended-master-secret.cnf" => disabled("tls1_2"),
"32-compressed-certificate.cnf" => disabled("comp") || disabled("tls1_3"),
);
# Add your test here if it should be skipped for some compile-time
# configurations. Default is $no_tls but some tests have different skip
# conditions.
my %skip = (
"06-sni-ticket.cnf" => $no_tls_below1_3,
"07-dtls-protocol-version.cnf" => $no_dtls,
"08-npn.cnf" => (disabled("tls1") && disabled("tls1_1")
&& disabled("tls1_2")) || $no_npn,
"10-resumption.cnf" => disabled("tls1_1") || disabled("tls1_2"),
"11-dtls_resumption.cnf" => disabled("dtls1") || disabled("dtls1_2"),
"12-ct.cnf" => $no_tls || $no_ct || $no_ec,
# We could run some of these tests without TLS 1.2 if we had a per-test
# disable instruction but that's a bizarre configuration not worth
# special-casing for.
# TODO(TLS 1.3): We should review this once we have TLS 1.3.
"13-fragmentation.cnf" => disabled("tls1_2"),
"14-curves.cnf" => disabled("tls1_2") || disabled("tls1_3")
|| $no_ec2m || $no_ecx || $no_dh,
"15-certstatus.cnf" => $no_tls || $no_ocsp,
"16-dtls-certstatus.cnf" => $no_dtls || $no_ocsp,
"17-renegotiate.cnf" => $no_tls_below1_3,
"18-dtls-renegotiate.cnf" => $no_dtls,
"19-mac-then-encrypt.cnf" => $no_pre_tls1_3,
"20-cert-select.cnf" => disabled("tls1_2") || $no_ecx,
"21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
"22-compression.cnf" => disabled("zlib") || $no_tls,
"23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1")
&& disabled("tls1_2")) || disabled("srp"),
"24-padding.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
"25-cipher.cnf" => disabled("ec") || disabled("tls1_2"),
"26-tls13_client_auth.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
"29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"),
"32-compressed-certificate.cnf" => disabled("comp") || disabled("tls1_3"),
);
foreach my $conf (@conf_files) {
subtest "Test configuration $conf" => sub {
plan tests => 6 + ($no_fips ? 0 : 3);
test_conf($conf,
$conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1,
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
"none");
test_conf($conf,
0,
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
"default");
test_conf($conf,
0,
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
"fips") unless $no_fips;
}
}
sub test_conf {
my ($conf, $check_source, $skip, $provider) = @_;
my $conf_file = srctop_file("test", "ssl-tests", $conf);
my $input_file = $conf_file . ".in";
my $output_file = $conf . "." . $provider;
my $run_test = 1;
SKIP: {
# "Test" 1. Generate the source.
skip 'failure', 2 unless
ok(run(perltest(["generate_ssl_tests.pl", $input_file, $provider],
interpreter_args => [ "-I", srctop_dir("util", "perl")],
stdout => $output_file)),
"Getting output from generate_ssl_tests.pl.");
SKIP: {
# Test 2. Compare against existing output in test/ssl-tests/
skip "Skipping generated source test for $conf", 1
if !$check_source;
$run_test = is(cmp_text($output_file, $conf_file), 0,
"Comparing generated $output_file with $conf_file.");
}
# Test 3. Run the test.
skip "No tests available; skipping tests", 1 if $skip;
skip "Stale sources; skipping tests", 1 if !$run_test;
skip "Dsa not allowed in FIPS 140-3 provider", 1 if ($provider eq "fips") && ($dsaallow eq '0');
my $msg = "running CTLOG_FILE=test/ct/log_list.cnf". # $ENV{CTLOG_FILE}.
" TEST_CERTS_DIR=test/certs". # $ENV{TEST_CERTS_DIR}.
" test/ssl_test test/ssl-tests/$conf $provider";
if ($provider eq "fips") {
ok(run(test(["ssl_test", $output_file, $provider,
srctop_file("test", "fips-and-base.cnf")])), $msg);
} else {
ok(run(test(["ssl_test", $output_file, $provider])), $msg);
}
}
}
sub cmp_text {
return compare_text(@_, sub {
$_[0] =~ s/\R//g;
$_[1] =~ s/\R//g;
return $_[0] ne $_[1];
});
}