summaryrefslogtreecommitdiffstats
path: root/test/recipes
diff options
context:
space:
mode:
authorRich Salz <rsalz@akamai.com>2020-06-29 12:20:41 +1000
committerShane Lontis <shane.lontis@oracle.com>2020-06-29 12:20:41 +1000
commit31214258309251aff297da67a60a6b60bf4ef27e (patch)
treeaee548533bd6a7fe25c3c6ebf06b46287dfccb6c /test/recipes
parent9afbb681ecd433623fb39db2a110ec3351d271c7 (diff)
Add --fips-key configuration parameter to fipsinstall application.
Change default FIPS HMAC KEY from all-zero's Use default FIPSKEY if not given on command line. Make all -macopt in fipsinstall optional Make all tests, except fipsinstall, use the default -macopt and -mac_name flags. Define and use FIPSDIR variable on VMS/MMS. Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12235)
Diffstat (limited to 'test/recipes')
-rw-r--r--test/recipes/03-test_fipsinstall.t25
-rw-r--r--test/recipes/30-test_acvp.t3
-rw-r--r--test/recipes/30-test_evp.t3
-rw-r--r--test/recipes/30-test_evp_fetch_prov.t3
-rw-r--r--test/recipes/80-test_ssl_new.t3
-rw-r--r--test/recipes/80-test_ssl_old.t3
-rw-r--r--test/recipes/90-test_sslapi.t3
7 files changed, 19 insertions, 24 deletions
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index 16ae955663..64970bea5a 100644
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -27,18 +27,19 @@ plan skip_all => "Test only supported in a fips build" if disabled("fips");
plan tests => 12;
my $infile = bldtop_file('providers', platform->dso('fips'));
+my $fipskey = $ENV{FIPSKEY} // '00';
# fail if no module name
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module',
'-provider_name', 'fips',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_install'])),
"fipsinstall fail");
# fail to verify if the configuration file is missing
ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_install', '-verify'])),
"fipsinstall verify fail");
@@ -46,56 +47,56 @@ ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile,
# output a fips.cnf file containing mac data
ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_install'])),
"fipsinstall");
# verify the fips.cnf file
ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_install', '-verify'])),
"fipsinstall verify");
# fail to verify the fips.cnf file if a different key is used
ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:01',
+ '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
'-section_name', 'fips_install', '-verify'])),
"fipsinstall verify fail bad key");
# fail to verify the fips.cnf file if a different mac digest is used
ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA512', '-macopt', 'hexkey:00',
+ '-macopt', 'digest:SHA512', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_install', '-verify'])),
"fipsinstall verify fail incorrect digest");
# corrupt the module hmac
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_install', '-corrupt_desc', 'HMAC'])),
"fipsinstall fails when the module integrity is corrupted");
# corrupt the first digest
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_install', '-corrupt_desc', 'SHA1'])),
"fipsinstall fails when the digest result is corrupted");
# corrupt another digest
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_install', '-corrupt_desc', 'SHA3'])),
"fipsinstall fails when the digest result is corrupted");
# corrupt DRBG
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_install', '-corrupt_desc', 'CTR'])),
"fipsinstall fails when the DRBG CTR result is corrupted");
@@ -106,7 +107,7 @@ SKIP: {
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_install',
'-corrupt_desc', 'DH',
'-corrupt_type', 'KAT_KA'])),
@@ -119,7 +120,7 @@ SKIP: {
if disabled("dsa");
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_install',
'-corrupt_desc', 'DSA',
'-corrupt_type', 'KAT_Signature'])),
diff --git a/test/recipes/30-test_acvp.t b/test/recipes/30-test_acvp.t
index e2e40aaa76..49cd484a30 100644
--- a/test/recipes/30-test_acvp.t
+++ b/test/recipes/30-test_acvp.t
@@ -32,8 +32,7 @@ plan tests => 2;
ok(run(app(['openssl', 'fipsinstall',
'-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', $infile,
- '-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-provider_name', 'fips',
'-section_name', 'fips_sect'])),
"fipsinstall");
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index 27b3781f27..3855d8a3b9 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -85,8 +85,7 @@ unless ($no_fips) {
ok(run(app(['openssl', 'fipsinstall',
'-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', $infile,
- '-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-provider_name', 'fips',
'-section_name', 'fips_sect'])),
"fipsinstall");
}
diff --git a/test/recipes/30-test_evp_fetch_prov.t b/test/recipes/30-test_evp_fetch_prov.t
index a49a66fee6..f53fdb0700 100644
--- a/test/recipes/30-test_evp_fetch_prov.t
+++ b/test/recipes/30-test_evp_fetch_prov.t
@@ -47,8 +47,7 @@ unless ($no_fips) {
cmd => app(['openssl', 'fipsinstall',
'-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', bldtop_file('providers', platform->dso('fips')),
- '-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-provider_name', 'fips',
'-section_name', 'fips_sect']),
message => "fipsinstall"
};
diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index f105a39ce0..1df21d7ad1 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -118,8 +118,7 @@ unless ($no_fips) {
ok(run(app(['openssl', 'fipsinstall',
'-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', bldtop_file('providers', platform->dso('fips')),
- '-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-provider_name', 'fips',
'-section_name', 'fips_sect'])),
"fipsinstall");
}
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 85f71614c4..814fe7ce6d 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -86,8 +86,7 @@ unless ($no_fips) {
ok(run(app(['openssl', 'fipsinstall',
'-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', bldtop_file('providers', platform->dso('fips')),
- '-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-provider_name', 'fips',
'-section_name', 'fips_sect'])),
"fipsinstall");
}
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
index e25ca0ba3e..c32221b9f6 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -40,8 +40,7 @@ unless ($no_fips) {
ok(run(app(['openssl', 'fipsinstall',
'-out', bldtop_file('providers', 'fipsmodule.cnf'),
'-module', bldtop_file('providers', platform->dso('fips')),
- '-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-provider_name', 'fips',
'-section_name', 'fips_sect'])),
"fipsinstall");
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-27 17:20:38 +0000