Add a new option to the `test' section of SSL test data structure.
This contains a space separated list of version checks, all of which must
pass.
Note that the version checks are as they as because:
- 3.1.0 doesn't have mandatory EMS support, so it can run the old tests.
- 3.1.1 (& later) will have mandatory EMS support, so they can't run them.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)
IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_SERVER_CONF, server, force_pha)
IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, no_extms_on_reneg)
+/* FIPS provider version limiting */
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, fips_version)
+
/* Known test options and their corresponding parse methods. */
/* Top-level options. */
{ "EnableServerSCTPLabelBug", &parse_test_enable_server_sctp_label_bug },
{ "ExpectedCipher", &parse_test_expected_cipher },
{ "ExpectedSessionTicketAppData", &parse_test_expected_session_ticket_app_data },
+ { "FIPSversion", &parse_test_fips_version },
};
/* Nested client options. */
sk_X509_NAME_pop_free(ctx->expected_server_ca_names, X509_NAME_free);
sk_X509_NAME_pop_free(ctx->expected_client_ca_names, X509_NAME_free);
OPENSSL_free(ctx->expected_cipher);
+ OPENSSL_free(ctx->fips_version);
OPENSSL_free(ctx);
}
char *expected_session_ticket_app_data;
OSSL_LIB_CTX *libctx;
+
+ /* FIPS version string to check for compatibility */
+ char *fips_version;
} SSL_TEST_CTX;
const char *ssl_test_result_name(ssl_test_result_t result);
[test-0]
ExpectedResult = Success
+FIPSversion = <=3.1.0
# ===========================================================
[test-1]
ExpectedResult = Success
+FIPSversion = <=3.1.0
# ===========================================================
[test-2]
ExpectedResult = Success
+FIPSversion = <=3.1.0
# ===========================================================
[test-3]
ExpectedResult = Success
+FIPSversion = <=3.1.0
HandshakeMode = Resume
[test-4]
ExpectedResult = Success
+FIPSversion = <=3.1.0
# ===========================================================
[test-5]
ExpectedResult = Success
+FIPSversion = <=3.1.0
# ===========================================================
[test-6]
ExpectedResult = Success
+FIPSversion = <=3.1.0
},
test => {
"ExpectedResult" => "Success",
+ "FIPSversion" => "<=3.1.0",
},
},
{
},
test => {
"ExpectedResult" => "Success",
+ "FIPSversion" => "<=3.1.0",
},
},
{
},
test => {
"ExpectedResult" => "Success",
+ "FIPSversion" => "<=3.1.0",
},
},
{
test => {
"HandshakeMode" => "Resume",
"ExpectedResult" => "Success",
+ "FIPSversion" => "<=3.1.0",
},
},
{
},
test => {
"ExpectedResult" => "Success",
+ "FIPSversion" => "<=3.1.0",
},
},
{
},
test => {
"ExpectedResult" => "Success",
+ "FIPSversion" => "<=3.1.0",
},
},
{
},
test => {
"ExpectedResult" => "Success",
+ "FIPSversion" => "<=3.1.0",
},
},
);
if (!TEST_ptr(test_ctx))
goto err;
+ /* Verify that the FIPS provider supports this test */
+ if (test_ctx->fips_version != NULL
+ && !fips_provider_version_match(libctx, test_ctx->fips_version)) {
+ ret = TEST_skip("FIPS provider unable to run this test");
+ goto err;
+ }
+
#ifndef OPENSSL_NO_DTLS
if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
server_ctx = SSL_CTX_new_ex(libctx, NULL, DTLS_server_method());