Ana Sayfa Keşfet Yardım
Giriş Yap
OWEALs
/
openssl
şunun yansıması git://git.openssl.org/openssl.git
2
0
Çatalla 0
Dosyalar Sorunlar 1 Wiki
Kaynağa Gözat

Extend the sslprovider_test to be able to additionally test FIPS

Previously we could test an empty default ctx, with the default provider
loaded into another ctx. Now we do the same with the FIPS provider.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11401)
Matt Caswell 4 yıl önce
ebeveyn
5093fec23b
işleme
beb958ccd8
2 değiştirilmiş dosya ile 83 ekleme ve 21 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 35 3
      test/recipes/90-test_sslprovider.t
  2. 48 18
      test/sslprovidertest.c

+ 35 - 3
test/recipes/90-test_sslprovider.t
Dosyayı Görüntüle 

@@ -8,14 +8,46 @@
 
 
 
 use OpenSSL::Test::Utils;
 
-use OpenSSL::Test qw/:DEFAULT srctop_dir/;
 
+use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_file bldtop_dir/;
 
 
+BEGIN {
 
 setup("test_sslprovider");
 
+}
 
+
 
+use lib srctop_dir('Configurations');
 
+use lib bldtop_dir('.');
 
+use platform;
 
 
 plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
 
     if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
 
 
-plan tests => 1;
 
+plan tests => 3;
 
+
 
+$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
 
+$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
 
+
 
+SKIP: {
 
+    skip "Skipping FIPS installation", 1
 
+        if disabled("fips");
 
 
-ok(run(test(["sslprovidertest", srctop_dir("test", "certs")])),
 
+    ok(run(app(['openssl', 'fipsinstall',
 
+                '-out', bldtop_file('providers', 'fipsinstall.cnf'),
 
+                '-module', bldtop_file('providers', platform->dso('fips')),
 
+                '-provider_name', 'fips', '-mac_name', 'HMAC',
 
+                '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
 
+                '-section_name', 'fips_sect'])),
 
+       "fipsinstall");
 
+}
 
+
 
+ok(run(test(["sslprovidertest", srctop_dir("test", "certs"), "default",
 
+             srctop_file("test", "default.cnf")])),
 
              "running sslprovidertest");
 
+
 
+SKIP: {
 
+    skip "Skipping FIPS provider test", 1
 
+        if disabled("fips");
 
+
 
+    ok(run(test(["sslprovidertest", srctop_dir("test", "certs"), "fips",
 
+                 srctop_file("test", "fips.cnf")])),
 
+                 "running sslprovidertest");
 
+}

+ 48 - 18
test/sslprovidertest.c
Dosyayı Görüntüle 

@@ -7,6 +7,7 @@
 
  * https://www.openssl.org/source/license.html
 
  */
 
 
+#include <string.h>
 
 #include <openssl/provider.h>
 
 
 #include "ssltestlib.h"
 
@@ -14,9 +15,10 @@
 
 
 static char *cert = NULL;
 
 static char *privkey = NULL;
 
+static char *modulename = NULL;
 
+static char *configfile = NULL;
 
 
-/* TODO(3.0): Re-enable this code. See comment in setup_tests() */
 
-OSSL_PROVIDER *defctxlegacy = NULL;
 
+static OSSL_PROVIDER *defctxlegacy = NULL;
 
 
 static int test_different_libctx(void)
 
 {
 
@@ -24,10 +26,29 @@ static int test_different_libctx(void)
 
     SSL *clientssl = NULL, *serverssl = NULL;
 
     int testresult = 0;
 
     OPENSSL_CTX *libctx = OPENSSL_CTX_new();
 
+    OSSL_PROVIDER *prov = NULL;
 
 
-    /* Verify that the default provider in the default libctx is not available */
 
-    if (!TEST_false(OSSL_PROVIDER_available(NULL, "default")))
 
+    /*
 
+     * Verify that the default and fips providers in the default libctx are not
 
+     * available
 
+     */
 
+    if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
 
+            || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
 
+        goto end;
 
+
 
+    if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
 
+        goto end;
 
+
 
+    prov = OSSL_PROVIDER_load(libctx, modulename);
 
+    if (!TEST_ptr(prov)
 
+               /* Check we have the provider available */
 
+            || !TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
 
+        goto end;
 
+    /* Check the default provider is not available */
 
+    if (strcmp(modulename, "default") != 0
 
+            && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
 
         goto end;
 
+    TEST_note("%s provider loaded", modulename);
 
 
     cctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_client_method());
 
     if (!TEST_ptr(cctx))
 
@@ -62,10 +83,11 @@ static int test_different_libctx(void)
 
         goto end;
 
 
     /*
 
-     * Verify that the default provider in the default libctx is still not
 
-     * available
 
+     * Verify that the default and fips providers in the default libctx are
 
+     * still not available
 
      */
 
-    if (!TEST_false(OSSL_PROVIDER_available(NULL, "default")))
 
+    if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
 
+            || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
 
         goto end;
 
 
     testresult = 1;
 
@@ -76,6 +98,7 @@ static int test_different_libctx(void)
 
     SSL_CTX_free(sctx);
 
     SSL_CTX_free(cctx);
 
 
+    OSSL_PROVIDER_unload(prov);
 
     OPENSSL_CTX_free(libctx);
 
 
     return testresult;
 
@@ -84,17 +107,15 @@ static int test_different_libctx(void)
 
 int setup_tests(void)
 
 {
 
     char *certsdir = NULL;
 
-    /*
 
-     * For tests in this file we want to ensure the default ctx does not have
 
-     * the default provider loaded into the default ctx. So we load "legacy" to
 
-     * prevent default from being auto-loaded. This tests that there is no
 
-     * "leakage", i.e. when using SSL_CTX_new_with_libctx() we expect only the
 
-     * specific libctx to be used - nothing should fall back to the default
 
-     * libctx
 
-     */
 
-    defctxlegacy = OSSL_PROVIDER_load(NULL, "legacy");
 
 
-    if (!TEST_ptr(certsdir = test_get_argument(0)))
 
+    if (!test_skip_common_options()) {
 
+        TEST_error("Error parsing test options\n");
 
+        return 0;
 
+    }
 
+
 
+    if (!TEST_ptr(certsdir = test_get_argument(0))
 
+            || !TEST_ptr(modulename = test_get_argument(1))
 
+            || !TEST_ptr(configfile = test_get_argument(2)))
 
         return 0;
 
 
     cert = test_mk_file_path(certsdir, "servercert.pem");
 
@@ -107,6 +128,16 @@ int setup_tests(void)
 
         return 0;
 
     }
 
 
+    /*
 
+     * For tests in this file we want to ensure the default ctx does not have
 
+     * the default provider loaded into the default ctx. So we load "legacy" to
 
+     * prevent default from being auto-loaded. This tests that there is no
 
+     * "leakage", i.e. when using SSL_CTX_new_with_libctx() we expect only the
 
+     * specific libctx to be used - nothing should fall back to the default
 
+     * libctx
 
+     */
 
+    defctxlegacy = OSSL_PROVIDER_load(NULL, "legacy");
 
+
 
     ADD_TEST(test_different_libctx);
 
 
     return 1;
 
@@ -114,6 +145,5 @@ int setup_tests(void)
 
 
 void cleanup_tests(void)
 
 {
 
-    /* TODO(3.0): Re-enable this code. See comment in setup_tests() */
 
     OSSL_PROVIDER_unload(defctxlegacy);
 
 }