From: Pauli Date: Tue, 18 Apr 2023 04:41:17 +0000 (+1000) Subject: test: update ssl_new tests in line with pedantic FIPS policy X-Git-Tag: openssl-3.2.0-alpha1~982 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=4454c20f026bb47f158ea05c207f143c81d674d8 test: update ssl_new tests in line with pedantic FIPS policy Add a new option to the `test' section of SSL test data structure. This contains a space separated list of version checks, all of which must pass. Note that the version checks are as they as because: - 3.1.0 doesn't have mandatory EMS support, so it can run the old tests. - 3.1.1 (& later) will have mandatory EMS support, so they can't run them. Reviewed-by: Tomas Mraz Reviewed-by: Shane Lontis Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/20762) --- diff --git a/test/helpers/ssl_test_ctx.c b/test/helpers/ssl_test_ctx.c index 1919481b02..c7777f8f07 100644 --- a/test/helpers/ssl_test_ctx.c +++ b/test/helpers/ssl_test_ctx.c @@ -652,6 +652,9 @@ IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, enable_pha) IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_SERVER_CONF, server, force_pha) IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, no_extms_on_reneg) +/* FIPS provider version limiting */ +IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, fips_version) + /* Known test options and their corresponding parse methods. */ /* Top-level options. */ @@ -692,6 +695,7 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = { { "EnableServerSCTPLabelBug", &parse_test_enable_server_sctp_label_bug }, { "ExpectedCipher", &parse_test_expected_cipher }, { "ExpectedSessionTicketAppData", &parse_test_expected_session_ticket_app_data }, + { "FIPSversion", &parse_test_fips_version }, }; /* Nested client options. */ @@ -781,6 +785,7 @@ void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx) sk_X509_NAME_pop_free(ctx->expected_server_ca_names, X509_NAME_free); sk_X509_NAME_pop_free(ctx->expected_client_ca_names, X509_NAME_free); OPENSSL_free(ctx->expected_cipher); + OPENSSL_free(ctx->fips_version); OPENSSL_free(ctx); } diff --git a/test/helpers/ssl_test_ctx.h b/test/helpers/ssl_test_ctx.h index 4baf657f6d..982d15a5c3 100644 --- a/test/helpers/ssl_test_ctx.h +++ b/test/helpers/ssl_test_ctx.h @@ -231,6 +231,9 @@ typedef struct { char *expected_session_ticket_app_data; OSSL_LIB_CTX *libctx; + + /* FIPS version string to check for compatibility */ + char *fips_version; } SSL_TEST_CTX; const char *ssl_test_result_name(ssl_test_result_t result); diff --git a/test/ssl-tests/30-extended-master-secret.cnf b/test/ssl-tests/30-extended-master-secret.cnf index 9dae431d21..6c118a54ca 100644 --- a/test/ssl-tests/30-extended-master-secret.cnf +++ b/test/ssl-tests/30-extended-master-secret.cnf @@ -32,6 +32,7 @@ VerifyMode = Peer [test-0] ExpectedResult = Success +FIPSversion = <=3.1.0 # =========================================================== @@ -57,6 +58,7 @@ VerifyMode = Peer [test-1] ExpectedResult = Success +FIPSversion = <=3.1.0 # =========================================================== @@ -83,6 +85,7 @@ VerifyMode = Peer [test-2] ExpectedResult = Success +FIPSversion = <=3.1.0 # =========================================================== @@ -122,6 +125,7 @@ VerifyMode = Peer [test-3] ExpectedResult = Success +FIPSversion = <=3.1.0 HandshakeMode = Resume @@ -148,6 +152,7 @@ VerifyMode = Peer [test-4] ExpectedResult = Success +FIPSversion = <=3.1.0 # =========================================================== @@ -173,6 +178,7 @@ VerifyMode = Peer [test-5] ExpectedResult = Success +FIPSversion = <=3.1.0 # =========================================================== @@ -199,5 +205,6 @@ VerifyMode = Peer [test-6] ExpectedResult = Success +FIPSversion = <=3.1.0 diff --git a/test/ssl-tests/30-extended-master-secret.cnf.in b/test/ssl-tests/30-extended-master-secret.cnf.in index 281718e6b5..40f4df3308 100644 --- a/test/ssl-tests/30-extended-master-secret.cnf.in +++ b/test/ssl-tests/30-extended-master-secret.cnf.in @@ -27,6 +27,7 @@ my @tests_tls1_2 = ( }, test => { "ExpectedResult" => "Success", + "FIPSversion" => "<=3.1.0", }, }, { @@ -40,6 +41,7 @@ my @tests_tls1_2 = ( }, test => { "ExpectedResult" => "Success", + "FIPSversion" => "<=3.1.0", }, }, { @@ -54,6 +56,7 @@ my @tests_tls1_2 = ( }, test => { "ExpectedResult" => "Success", + "FIPSversion" => "<=3.1.0", }, }, { @@ -75,6 +78,7 @@ my @tests_tls1_2 = ( test => { "HandshakeMode" => "Resume", "ExpectedResult" => "Success", + "FIPSversion" => "<=3.1.0", }, }, { @@ -88,6 +92,7 @@ my @tests_tls1_2 = ( }, test => { "ExpectedResult" => "Success", + "FIPSversion" => "<=3.1.0", }, }, { @@ -101,6 +106,7 @@ my @tests_tls1_2 = ( }, test => { "ExpectedResult" => "Success", + "FIPSversion" => "<=3.1.0", }, }, { @@ -115,6 +121,7 @@ my @tests_tls1_2 = ( }, test => { "ExpectedResult" => "Success", + "FIPSversion" => "<=3.1.0", }, }, ); diff --git a/test/ssl_test.c b/test/ssl_test.c index eac86ccecf..2795909820 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -409,6 +409,13 @@ static int test_handshake(int idx) if (!TEST_ptr(test_ctx)) goto err; + /* Verify that the FIPS provider supports this test */ + if (test_ctx->fips_version != NULL + && !fips_provider_version_match(libctx, test_ctx->fips_version)) { + ret = TEST_skip("FIPS provider unable to run this test"); + goto err; + } + #ifndef OPENSSL_NO_DTLS if (test_ctx->method == SSL_TEST_METHOD_DTLS) { server_ctx = SSL_CTX_new_ex(libctx, NULL, DTLS_server_method());