From: Matt Caswell <matt@openssl.org>
Date: Sat, 21 Mar 2020 00:39:27 +0000 (+0000)
Subject: Re-enable FIPS testing in sslapitest.c
X-Git-Tag: openssl-3.0.0-alpha1~47
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=4f6c704495248d4e61b7668201e3bef47a45e35f

Re-enable FIPS testing in sslapitest.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11508)
---

diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
index 18ca860e23..5e137c5e77 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -19,30 +19,40 @@ use lib srctop_dir('Configurations');
 use lib bldtop_dir('.');
 use platform;
 
+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 
 plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
     if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
 
-plan tests => 2;
+plan tests =>
+    ($no_fips ? 0 : 2)          # FIPS install test + sslapitest with fips
+    + 1;                        # sslapitest with default provider
 
 (undef, my $tmpfilename) = tempfile();
 
-
 $ENV{OPENSSL_MODULES} = bldtop_dir("providers");
 $ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
 
-ok(run(app(['openssl', 'fipsinstall',
-            '-out', bldtop_file('providers', 'fipsinstall.cnf'),
-            '-module', bldtop_file('providers', platform->dso('fips')),
-            '-provider_name', 'fips', '-mac_name', 'HMAC',
-            '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
-            '-section_name', 'fips_sect'])),
-   "fipsinstall");
-
 ok(run(test(["sslapitest", srctop_dir("test", "certs"),
              srctop_file("test", "recipes", "90-test_sslapi_data",
                          "passwd.txt"), $tmpfilename, "default",
              srctop_file("test", "default.cnf")])),
              "running sslapitest");
 
+unless ($no_fips) {
+    ok(run(app(['openssl', 'fipsinstall',
+                '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+                '-module', bldtop_file('providers', platform->dso('fips')),
+                '-provider_name', 'fips', '-mac_name', 'HMAC',
+                '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+                '-section_name', 'fips_sect'])),
+       "fipsinstall");
+
+    ok(run(test(["sslapitest", srctop_dir("test", "certs"),
+                 srctop_file("test", "recipes", "90-test_sslapi_data",
+                             "passwd.txt"), $tmpfilename, "fips",
+                 srctop_file("test", "fips.cnf")])),
+                 "running sslapitest");
+}
+
 unlink $tmpfilename;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index ef078ad244..b1522b451d 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -64,6 +64,8 @@ static char *privkey = NULL;
 static char *srpvfile = NULL;
 static char *tmpfilename = NULL;
 
+static int is_fips = 0;
+
 #define LOG_BUFFER_SIZE 2048
 static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
 static size_t server_log_buffer_index = 0;
@@ -3748,6 +3750,10 @@ static int test_ciphersuite_change(void)
     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
                                        TLS_client_method(), TLS1_VERSION, 0,
                                        &sctx, &cctx, cert, privkey))
+            || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
+                                                   "TLS_AES_128_GCM_SHA256:"
+                                                   "TLS_AES_256_GCM_SHA384:"
+                                                   "TLS_AES_128_CCM_SHA256"))
             || !TEST_true(SSL_CTX_set_ciphersuites(cctx,
                                                    "TLS_AES_128_GCM_SHA256"))
             || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
@@ -3765,12 +3771,11 @@ static int test_ciphersuite_change(void)
     SSL_free(clientssl);
     serverssl = clientssl = NULL;
 
-# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
     /* Check we can resume a session with a different SHA-256 ciphersuite */
     if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
-                                            "TLS_CHACHA20_POLY1305_SHA256"))
-            || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
-                                             NULL, NULL))
+                                            "TLS_AES_128_CCM_SHA256"))
+            || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
+                                             &clientssl, NULL, NULL))
             || !TEST_true(SSL_set_session(clientssl, clntsess))
             || !TEST_true(create_ssl_connection(serverssl, clientssl,
                                                 SSL_ERROR_NONE))
@@ -3784,7 +3789,6 @@ static int test_ciphersuite_change(void)
     SSL_free(serverssl);
     SSL_free(clientssl);
     serverssl = clientssl = NULL;
-# endif
 
     /*
      * Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
@@ -4033,15 +4037,19 @@ static int test_tls13_ciphersuite(int idx)
 {
     SSL_CTX *sctx = NULL, *cctx = NULL;
     SSL *serverssl = NULL, *clientssl = NULL;
-    static const char *t13_ciphers[] = {
-        TLS1_3_RFC_AES_128_GCM_SHA256,
-        TLS1_3_RFC_AES_256_GCM_SHA384,
-        TLS1_3_RFC_AES_128_CCM_SHA256,
+    static const struct {
+        const char *ciphername;
+        int fipscapable;
+    } t13_ciphers[] = {
+        { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
+        { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
+        { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-        TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
-        TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
+        { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
+        { TLS1_3_RFC_AES_256_GCM_SHA384
+          ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
 # endif
-        TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
+        { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
     };
     const char *t13_cipher = NULL;
     const char *t12_cipher = NULL;
@@ -4076,7 +4084,9 @@ static int test_tls13_ciphersuite(int idx)
             continue;
 # endif
         for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
-            t13_cipher = t13_ciphers[i];
+            if (is_fips && !t13_ciphers[i].fipscapable)
+                continue;
+            t13_cipher = t13_ciphers[i].ciphername;
             if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
                                                TLS_client_method(),
                                                TLS1_VERSION, max_ver,
@@ -4194,6 +4204,16 @@ static int test_tls13_psk(int idx)
         if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
                                                 "TLS_AES_128_GCM_SHA256")))
             goto end;
+    } else {
+        /*
+         * As noted above the server should prefer SHA256 automatically. However
+         * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
+         * code works even if we are testing with only the FIPS provider loaded.
+         */
+        if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
+                                                "TLS_AES_256_GCM_SHA384:"
+                                                "TLS_AES_128_GCM_SHA256")))
+            goto end;
     }
 
     /*
@@ -4933,6 +4953,8 @@ static int test_export_key_mat(int tst)
     if (tst == 1)
         return 1;
 #endif
+    if (is_fips && (tst == 0 || tst == 1))
+        return 1;
 #ifdef OPENSSL_NO_TLS1_2
     if (tst == 2)
         return 1;
@@ -7303,6 +7325,9 @@ int setup_tests(void)
             && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
         return 0;
 
+    if (strcmp(modulename, "fips") == 0)
+        is_fips = 1;
+
     if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
 #ifdef OPENSSL_NO_CRYPTO_MDEBUG
         TEST_error("not supported in this build");