From: Matt Caswell Date: Mon, 16 Mar 2020 17:03:08 +0000 (+0000) Subject: Extend the sslprovider_test to be able to additionally test FIPS X-Git-Tag: openssl-3.0.0-alpha1~172 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=beb958ccd87b95f1a86bfe2b879492b62e58d80e Extend the sslprovider_test to be able to additionally test FIPS Previously we could test an empty default ctx, with the default provider loaded into another ctx. Now we do the same with the FIPS provider. Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/11401) --- diff --git a/test/recipes/90-test_sslprovider.t b/test/recipes/90-test_sslprovider.t index 9781091bba..f0ff38a386 100644 --- a/test/recipes/90-test_sslprovider.t +++ b/test/recipes/90-test_sslprovider.t @@ -8,14 +8,46 @@ use OpenSSL::Test::Utils; -use OpenSSL::Test qw/:DEFAULT srctop_dir/; +use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_file bldtop_dir/; +BEGIN { setup("test_sslprovider"); +} + +use lib srctop_dir('Configurations'); +use lib bldtop_dir('.'); +use platform; plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); -plan tests => 1; +plan tests => 3; + +$ENV{OPENSSL_MODULES} = bldtop_dir("providers"); +$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers"); + +SKIP: { + skip "Skipping FIPS installation", 1 + if disabled("fips"); -ok(run(test(["sslprovidertest", srctop_dir("test", "certs")])), + ok(run(app(['openssl', 'fipsinstall', + '-out', bldtop_file('providers', 'fipsinstall.cnf'), + '-module', bldtop_file('providers', platform->dso('fips')), + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', + '-section_name', 'fips_sect'])), + "fipsinstall"); +} + +ok(run(test(["sslprovidertest", srctop_dir("test", "certs"), "default", + srctop_file("test", "default.cnf")])), "running sslprovidertest"); + +SKIP: { + skip "Skipping FIPS provider test", 1 + if disabled("fips"); + + ok(run(test(["sslprovidertest", srctop_dir("test", "certs"), "fips", + srctop_file("test", "fips.cnf")])), + "running sslprovidertest"); +} diff --git a/test/sslprovidertest.c b/test/sslprovidertest.c index 76a6f8f6b2..5f78554fb9 100644 --- a/test/sslprovidertest.c +++ b/test/sslprovidertest.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include #include #include "ssltestlib.h" @@ -14,9 +15,10 @@ static char *cert = NULL; static char *privkey = NULL; +static char *modulename = NULL; +static char *configfile = NULL; -/* TODO(3.0): Re-enable this code. See comment in setup_tests() */ -OSSL_PROVIDER *defctxlegacy = NULL; +static OSSL_PROVIDER *defctxlegacy = NULL; static int test_different_libctx(void) { @@ -24,10 +26,29 @@ static int test_different_libctx(void) SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; OPENSSL_CTX *libctx = OPENSSL_CTX_new(); + OSSL_PROVIDER *prov = NULL; - /* Verify that the default provider in the default libctx is not available */ - if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))) + /* + * Verify that the default and fips providers in the default libctx are not + * available + */ + if (!TEST_false(OSSL_PROVIDER_available(NULL, "default")) + || !TEST_false(OSSL_PROVIDER_available(NULL, "fips"))) + goto end; + + if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile))) + goto end; + + prov = OSSL_PROVIDER_load(libctx, modulename); + if (!TEST_ptr(prov) + /* Check we have the provider available */ + || !TEST_true(OSSL_PROVIDER_available(libctx, modulename))) + goto end; + /* Check the default provider is not available */ + if (strcmp(modulename, "default") != 0 + && !TEST_false(OSSL_PROVIDER_available(libctx, "default"))) goto end; + TEST_note("%s provider loaded", modulename); cctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_client_method()); if (!TEST_ptr(cctx)) @@ -62,10 +83,11 @@ static int test_different_libctx(void) goto end; /* - * Verify that the default provider in the default libctx is still not - * available + * Verify that the default and fips providers in the default libctx are + * still not available */ - if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))) + if (!TEST_false(OSSL_PROVIDER_available(NULL, "default")) + || !TEST_false(OSSL_PROVIDER_available(NULL, "fips"))) goto end; testresult = 1; @@ -76,6 +98,7 @@ static int test_different_libctx(void) SSL_CTX_free(sctx); SSL_CTX_free(cctx); + OSSL_PROVIDER_unload(prov); OPENSSL_CTX_free(libctx); return testresult; @@ -84,17 +107,15 @@ static int test_different_libctx(void) int setup_tests(void) { char *certsdir = NULL; - /* - * For tests in this file we want to ensure the default ctx does not have - * the default provider loaded into the default ctx. So we load "legacy" to - * prevent default from being auto-loaded. This tests that there is no - * "leakage", i.e. when using SSL_CTX_new_with_libctx() we expect only the - * specific libctx to be used - nothing should fall back to the default - * libctx - */ - defctxlegacy = OSSL_PROVIDER_load(NULL, "legacy"); - if (!TEST_ptr(certsdir = test_get_argument(0))) + if (!test_skip_common_options()) { + TEST_error("Error parsing test options\n"); + return 0; + } + + if (!TEST_ptr(certsdir = test_get_argument(0)) + || !TEST_ptr(modulename = test_get_argument(1)) + || !TEST_ptr(configfile = test_get_argument(2))) return 0; cert = test_mk_file_path(certsdir, "servercert.pem"); @@ -107,6 +128,16 @@ int setup_tests(void) return 0; } + /* + * For tests in this file we want to ensure the default ctx does not have + * the default provider loaded into the default ctx. So we load "legacy" to + * prevent default from being auto-loaded. This tests that there is no + * "leakage", i.e. when using SSL_CTX_new_with_libctx() we expect only the + * specific libctx to be used - nothing should fall back to the default + * libctx + */ + defctxlegacy = OSSL_PROVIDER_load(NULL, "legacy"); + ADD_TEST(test_different_libctx); return 1; @@ -114,6 +145,5 @@ int setup_tests(void) void cleanup_tests(void) { - /* TODO(3.0): Re-enable this code. See comment in setup_tests() */ OSSL_PROVIDER_unload(defctxlegacy); }