mirror of
https://github.com/openssl/openssl.git
synced 2024-12-21 06:09:35 +08:00
85caa417e0
This is a FIPS 140-3 requirement. This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0, OR OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK is set to 0 in the dsa signing context. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24799)
208 lines
8.2 KiB
Perl
208 lines
8.2 KiB
Perl
#! /usr/bin/env perl
|
|
# Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
# in the file LICENSE in the source distribution or at
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
# For manually running these tests, set specific environment variables like this:
|
|
# CTLOG_FILE=test/ct/log_list.cnf
|
|
# TEST_CERTS_DIR=test/certs
|
|
# For details on the environment variables needed, see test/README.ssltest.md
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use File::Basename;
|
|
use File::Compare qw/compare_text/;
|
|
use OpenSSL::Glob;
|
|
use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_file bldtop_dir/;
|
|
use OpenSSL::Test::Utils qw/disabled alldisabled available_protocols/;
|
|
|
|
BEGIN {
|
|
setup("test_ssl_new");
|
|
}
|
|
|
|
use lib srctop_dir('Configurations');
|
|
use lib bldtop_dir('.');
|
|
|
|
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
|
|
my $dsaallow = '1';
|
|
|
|
$ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs");
|
|
|
|
my @conf_srcs = ();
|
|
if (defined $ENV{SSL_TESTS}) {
|
|
my @conf_list = split(' ', $ENV{SSL_TESTS});
|
|
foreach my $conf_file (@conf_list) {
|
|
push (@conf_srcs, glob(srctop_file("test", "ssl-tests", $conf_file)));
|
|
}
|
|
plan tests => scalar @conf_srcs;
|
|
} else {
|
|
@conf_srcs = glob(srctop_file("test", "ssl-tests", "*.cnf.in"));
|
|
# We hard-code the number of tests to double-check that the globbing above
|
|
# finds all files as expected.
|
|
plan tests => 31;
|
|
}
|
|
map { s/;.*// } @conf_srcs if $^O eq "VMS";
|
|
my @conf_files = map { basename($_, ".in") } @conf_srcs;
|
|
map { s/\^// } @conf_files if $^O eq "VMS";
|
|
|
|
unless ($no_fips) {
|
|
my $provconf = srctop_file("test", "fips-and-base.cnf");
|
|
run(test(["fips_version_test", "-config", $provconf, "<3.4.0"]),
|
|
capture => 1, statusvar => \$dsaallow);
|
|
}
|
|
|
|
# Some test results depend on the configuration of enabled protocols. We only
|
|
# verify generated sources in the default configuration.
|
|
my $is_default_tls = (disabled("ssl3") && !disabled("tls1") &&
|
|
!disabled("tls1_1") && !disabled("tls1_2") &&
|
|
!disabled("tls1_3") && (!disabled("ec") || !disabled("dh")));
|
|
|
|
my $is_default_dtls = (!disabled("dtls1") && !disabled("dtls1_2"));
|
|
|
|
my @all_pre_tls1_3 = ("ssl3", "tls1", "tls1_1", "tls1_2");
|
|
my $no_tls = alldisabled(available_protocols("tls"));
|
|
my $no_tls_below1_3 = $no_tls || (disabled("tls1_2") && !disabled("tls1_3"));
|
|
if (!$no_tls && $no_tls_below1_3 && disabled("ec") && disabled("dh")) {
|
|
$no_tls = 1;
|
|
}
|
|
my $no_pre_tls1_3 = alldisabled(@all_pre_tls1_3);
|
|
my $no_dtls = alldisabled(available_protocols("dtls"));
|
|
my $no_npn = disabled("nextprotoneg");
|
|
my $no_ct = disabled("ct");
|
|
my $no_ec = disabled("ec");
|
|
my $no_ecx = disabled("ecx");
|
|
my $no_dh = disabled("dh");
|
|
my $no_dsa = disabled("dsa");
|
|
my $no_ec2m = disabled("ec2m");
|
|
my $no_ocsp = disabled("ocsp");
|
|
|
|
# Add your test here if the test conf.in generates test cases and/or
|
|
# expectations dynamically based on the OpenSSL compile-time config.
|
|
my %conf_dependent_tests = (
|
|
"02-protocol-version.cnf" => !$is_default_tls,
|
|
"04-client_auth.cnf" => !$is_default_tls || !$is_default_dtls
|
|
|| !disabled("sctp"),
|
|
"05-sni.cnf" => disabled("tls1_1"),
|
|
"07-dtls-protocol-version.cnf" => !$is_default_dtls || !disabled("sctp"),
|
|
"10-resumption.cnf" => !$is_default_tls || $no_ec,
|
|
"11-dtls_resumption.cnf" => !$is_default_dtls || !disabled("sctp"),
|
|
"16-dtls-certstatus.cnf" => !$is_default_dtls || !disabled("sctp"),
|
|
"17-renegotiate.cnf" => disabled("tls1_2"),
|
|
"18-dtls-renegotiate.cnf" => disabled("dtls1_2") || !disabled("sctp"),
|
|
"19-mac-then-encrypt.cnf" => !$is_default_tls,
|
|
"20-cert-select.cnf" => !$is_default_tls || $no_dh || $no_dsa,
|
|
"22-compression.cnf" => !$is_default_tls,
|
|
"25-cipher.cnf" => disabled("poly1305") || disabled("chacha"),
|
|
"27-ticket-appdata.cnf" => !$is_default_tls,
|
|
"28-seclevel.cnf" => disabled("tls1_2") || $no_ecx,
|
|
"30-extended-master-secret.cnf" => disabled("tls1_2"),
|
|
"32-compressed-certificate.cnf" => disabled("comp") || disabled("tls1_3"),
|
|
);
|
|
|
|
# Add your test here if it should be skipped for some compile-time
|
|
# configurations. Default is $no_tls but some tests have different skip
|
|
# conditions.
|
|
my %skip = (
|
|
"06-sni-ticket.cnf" => $no_tls_below1_3,
|
|
"07-dtls-protocol-version.cnf" => $no_dtls,
|
|
"08-npn.cnf" => (disabled("tls1") && disabled("tls1_1")
|
|
&& disabled("tls1_2")) || $no_npn,
|
|
"10-resumption.cnf" => disabled("tls1_1") || disabled("tls1_2"),
|
|
"11-dtls_resumption.cnf" => disabled("dtls1") || disabled("dtls1_2"),
|
|
"12-ct.cnf" => $no_tls || $no_ct || $no_ec,
|
|
# We could run some of these tests without TLS 1.2 if we had a per-test
|
|
# disable instruction but that's a bizarre configuration not worth
|
|
# special-casing for.
|
|
# TODO(TLS 1.3): We should review this once we have TLS 1.3.
|
|
"13-fragmentation.cnf" => disabled("tls1_2"),
|
|
"14-curves.cnf" => disabled("tls1_2") || disabled("tls1_3")
|
|
|| $no_ec2m || $no_ecx || $no_dh,
|
|
"15-certstatus.cnf" => $no_tls || $no_ocsp,
|
|
"16-dtls-certstatus.cnf" => $no_dtls || $no_ocsp,
|
|
"17-renegotiate.cnf" => $no_tls_below1_3,
|
|
"18-dtls-renegotiate.cnf" => $no_dtls,
|
|
"19-mac-then-encrypt.cnf" => $no_pre_tls1_3,
|
|
"20-cert-select.cnf" => disabled("tls1_2") || $no_ecx,
|
|
"21-key-update.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
|
|
"22-compression.cnf" => disabled("zlib") || $no_tls,
|
|
"23-srp.cnf" => (disabled("tls1") && disabled ("tls1_1")
|
|
&& disabled("tls1_2")) || disabled("srp"),
|
|
"24-padding.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
|
|
"25-cipher.cnf" => disabled("ec") || disabled("tls1_2"),
|
|
"26-tls13_client_auth.cnf" => disabled("tls1_3") || ($no_ec && $no_dh),
|
|
"29-dtls-sctp-label-bug.cnf" => disabled("sctp") || disabled("sock"),
|
|
"32-compressed-certificate.cnf" => disabled("comp") || disabled("tls1_3"),
|
|
);
|
|
|
|
foreach my $conf (@conf_files) {
|
|
subtest "Test configuration $conf" => sub {
|
|
plan tests => 6 + ($no_fips ? 0 : 3);
|
|
test_conf($conf,
|
|
$conf_dependent_tests{$conf} || $^O eq "VMS" ? 0 : 1,
|
|
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
|
|
"none");
|
|
test_conf($conf,
|
|
0,
|
|
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
|
|
"default");
|
|
test_conf($conf,
|
|
0,
|
|
defined($skip{$conf}) ? $skip{$conf} : $no_tls,
|
|
"fips") unless $no_fips;
|
|
}
|
|
}
|
|
|
|
sub test_conf {
|
|
my ($conf, $check_source, $skip, $provider) = @_;
|
|
|
|
my $conf_file = srctop_file("test", "ssl-tests", $conf);
|
|
my $input_file = $conf_file . ".in";
|
|
my $output_file = $conf . "." . $provider;
|
|
my $run_test = 1;
|
|
|
|
SKIP: {
|
|
# "Test" 1. Generate the source.
|
|
skip 'failure', 2 unless
|
|
ok(run(perltest(["generate_ssl_tests.pl", $input_file, $provider],
|
|
interpreter_args => [ "-I", srctop_dir("util", "perl")],
|
|
stdout => $output_file)),
|
|
"Getting output from generate_ssl_tests.pl.");
|
|
|
|
SKIP: {
|
|
# Test 2. Compare against existing output in test/ssl-tests/
|
|
skip "Skipping generated source test for $conf", 1
|
|
if !$check_source;
|
|
|
|
$run_test = is(cmp_text($output_file, $conf_file), 0,
|
|
"Comparing generated $output_file with $conf_file.");
|
|
}
|
|
|
|
# Test 3. Run the test.
|
|
skip "No tests available; skipping tests", 1 if $skip;
|
|
skip "Stale sources; skipping tests", 1 if !$run_test;
|
|
skip "Dsa not allowed in FIPS 140-3 provider", 1 if ($provider eq "fips") && ($dsaallow eq '0');
|
|
|
|
my $msg = "running CTLOG_FILE=test/ct/log_list.cnf". # $ENV{CTLOG_FILE}.
|
|
" TEST_CERTS_DIR=test/certs". # $ENV{TEST_CERTS_DIR}.
|
|
" test/ssl_test test/ssl-tests/$conf $provider";
|
|
if ($provider eq "fips") {
|
|
ok(run(test(["ssl_test", $output_file, $provider,
|
|
srctop_file("test", "fips-and-base.cnf")])), $msg);
|
|
} else {
|
|
ok(run(test(["ssl_test", $output_file, $provider])), $msg);
|
|
}
|
|
}
|
|
}
|
|
|
|
sub cmp_text {
|
|
return compare_text(@_, sub {
|
|
$_[0] =~ s/\R//g;
|
|
$_[1] =~ s/\R//g;
|
|
return $_[0] ne $_[1];
|
|
});
|
|
}
|