New Linux kernels (>= 5.11) enable KTLS CHACHA which is not
FIPS-suitable.
Fixes #16657
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16658)
- name: make test
run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
+ fips_and_ktls:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: modprobe tls
+ run: sudo modprobe tls
+ - name: config
+ run: ./config --banner=Configured --strict-warnings enable-ktls enable-fips && perl configdata.pm --dump
+ - name: make
+ run: make -s -j4
+ - name: make test
+ run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
+
no-legacy:
runs-on: ubuntu-latest
steps:
goto end;
}
+ if (is_fips && strstr(cipher, "CHACHA") != NULL) {
+ testresult = TEST_skip("CHACHA is not supported in FIPS");
+ goto end;
+ }
+
/* Create a session based on SHA-256 */
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
goto end;
}
+ if (is_fips && strstr(cipher, "CHACHA") != NULL) {
+ testresult = TEST_skip("CHACHA is not supported in FIPS");
+ goto end;
+ }
+
/* Create a session based on SHA-256 */
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),