diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2019-09-15 19:55:10 +1000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2019-09-15 19:55:10 +1000 |
commit | 7bb82f92d94375e7673fe02cb8186595b2c539f2 (patch) | |
tree | 9ad368205615d359374430b91906e4c704135fae /test | |
parent | dd11c5f0fa809063b152cd2851c4c1e56fbd20c8 (diff) |
Add fips module integrity check
Add environment variable for setting CONF .include path
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9769)
Diffstat (limited to 'test')
-rw-r--r-- | test/build.info | 6 | ||||
-rw-r--r-- | test/default-and-fips.cnf | 13 | ||||
-rw-r--r-- | test/evp_extra_test.c | 336 | ||||
-rw-r--r-- | test/evp_fetch_prov_test.c | 251 | ||||
-rw-r--r-- | test/fips.cnf | 5 | ||||
-rw-r--r-- | test/recipes/30-test_evp.t | 20 | ||||
-rw-r--r-- | test/recipes/30-test_evp_fetch_prov.t | 79 |
7 files changed, 370 insertions, 340 deletions
diff --git a/test/build.info b/test/build.info index eb344fd6c3..f41c72c21e 100644 --- a/test/build.info +++ b/test/build.info @@ -38,7 +38,7 @@ IF[{- !$disabled{tests} -}] destest mdc2test \ dhtest enginetest casttest \ bftest ssltest_old dsatest dsa_no_digest_size_test exptest rsa_test \ - evp_test evp_extra_test igetest v3nametest v3ext \ + evp_test evp_extra_test evp_fetch_prov_test igetest v3nametest v3ext \ crltest danetest bad_dtls_test lhash_test sparse_array_test \ conf_include_test params_api_test params_conversion_test \ constant_time_test verify_extra_test clienthellotest \ @@ -195,6 +195,10 @@ IF[{- !$disabled{tests} -}] SOURCE[evp_extra_test]=evp_extra_test.c INCLUDE[evp_extra_test]=../include ../apps/include ../crypto/include DEPEND[evp_extra_test]=../libcrypto libtestutil.a + + SOURCE[evp_fetch_prov_test]=evp_fetch_prov_test.c + INCLUDE[evp_fetch_prov_test]=../include ../apps/include ../crypto/include + DEPEND[evp_fetch_prov_test]=../libcrypto libtestutil.a IF[{- $disabled{fips} || !$target{dso_scheme} -}] DEFINE[evp_extra_test]=NO_FIPS_MODULE ENDIF diff --git a/test/default-and-fips.cnf b/test/default-and-fips.cnf new file mode 100644 index 0000000000..6db1a940ee --- /dev/null +++ b/test/default-and-fips.cnf @@ -0,0 +1,13 @@ +openssl_conf = openssl_init + +.include fipsinstall.conf + +[openssl_init] +providers = provider_sect + +[provider_sect] +default = default_sect +fips = fips_sect + +[default_sect] +activate = 1 diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index bbb846e6fd..1898e31de8 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -11,6 +11,7 @@ #include <stdlib.h> #include <string.h> #include <openssl/bio.h> +#include <openssl/conf.h> #include <openssl/crypto.h> #include <openssl/err.h> #include <openssl/evp.h> @@ -1070,333 +1071,7 @@ done: X509_PUBKEY_free(xp); return ret; } -#endif - - -static int calculate_digest(const EVP_MD *md, const char *msg, size_t len, - const unsigned char *exptd) -{ - unsigned char out[SHA256_DIGEST_LENGTH]; - EVP_MD_CTX *ctx; - int ret = 0; - - if (!TEST_ptr(ctx = EVP_MD_CTX_new()) - || !TEST_true(EVP_DigestInit_ex(ctx, md, NULL)) - || !TEST_true(EVP_DigestUpdate(ctx, msg, len)) - || !TEST_true(EVP_DigestFinal_ex(ctx, out, NULL)) - || !TEST_mem_eq(out, SHA256_DIGEST_LENGTH, exptd, - SHA256_DIGEST_LENGTH) - || !TEST_true(md == EVP_MD_CTX_md(ctx))) - goto err; - - ret = 1; - err: - EVP_MD_CTX_free(ctx); - return ret; -} -/* - * Test EVP_MD_fetch() - * - * Test 0: Test with the default OPENSSL_CTX - * Test 1: Test with an explicit OPENSSL_CTX - * Test 2: Explicit OPENSSL_CTX with explicit load of default provider - * Test 3: Explicit OPENSSL_CTX with explicit load of default and fips provider - * Test 4: Explicit OPENSSL_CTX with explicit load of fips provider - */ -static int test_EVP_MD_fetch(int tst) -{ - OPENSSL_CTX *ctx = NULL; - EVP_MD *md = NULL; - OSSL_PROVIDER *defltprov = NULL, *fipsprov = NULL; - int ret = 0; - const char testmsg[] = "Hello world"; - const unsigned char exptd[] = { - 0x27, 0x51, 0x8b, 0xa9, 0x68, 0x30, 0x11, 0xf6, 0xb3, 0x96, 0x07, 0x2c, - 0x05, 0xf6, 0x65, 0x6d, 0x04, 0xf5, 0xfb, 0xc3, 0x78, 0x7c, 0xf9, 0x24, - 0x90, 0xec, 0x60, 0x6e, 0x50, 0x92, 0xe3, 0x26 - }; - - if (tst > 0) { - ctx = OPENSSL_CTX_new(); - if (!TEST_ptr(ctx)) - goto err; - - if (tst == 2 || tst == 3) { - defltprov = OSSL_PROVIDER_load(ctx, "default"); - if (!TEST_ptr(defltprov)) - goto err; - } - if (tst == 3 || tst == 4) { - fipsprov = OSSL_PROVIDER_load(ctx, "fips"); - if (!TEST_ptr(fipsprov)) - goto err; - } - } - - /* Implicit fetching of the MD should produce the expected result */ - if (!TEST_true(calculate_digest(EVP_sha256(), testmsg, sizeof(testmsg), - exptd)) - || !TEST_int_eq(EVP_MD_size(EVP_sha256()), SHA256_DIGEST_LENGTH) - || !TEST_int_eq(EVP_MD_block_size(EVP_sha256()), SHA256_CBLOCK)) - goto err; - - /* - * Test that without specifying any properties we can get a sha256 md from a - * provider. - */ - if (!TEST_ptr(md = EVP_MD_fetch(ctx, "SHA256", NULL)) - || !TEST_ptr(md) - || !TEST_int_eq(EVP_MD_nid(md), NID_sha256) - || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg), exptd)) - || !TEST_int_eq(EVP_MD_size(md), SHA256_DIGEST_LENGTH) - || !TEST_int_eq(EVP_MD_block_size(md), SHA256_CBLOCK)) - goto err; - - /* Also test EVP_MD_up_ref() while we're doing this */ - if (!TEST_true(EVP_MD_up_ref(md))) - goto err; - /* Ref count should now be 2. Release both */ - EVP_MD_free(md); - EVP_MD_free(md); - md = NULL; - - /* - * In tests 0 - 2 we've only loaded the default provider so explicitly - * asking for a non-default implementation should fail. In tests 3 and 4 we - * have the FIPS provider loaded so we should succeed in that case. - */ - md = EVP_MD_fetch(ctx, "SHA256", "default=no"); - if (tst == 3 || tst == 4) { - if (!TEST_ptr(md) - || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg), - exptd))) - goto err; - } else { - if (!TEST_ptr_null(md)) - goto err; - } - - EVP_MD_free(md); - md = NULL; - - /* - * Explicitly asking for the default implementation should succeed except - * in test 4 where the default provider is not loaded. - */ - md = EVP_MD_fetch(ctx, "SHA256", "default=yes"); - if (tst != 4) { - if (!TEST_ptr(md) - || !TEST_int_eq(EVP_MD_nid(md), NID_sha256) - || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg), - exptd)) - || !TEST_int_eq(EVP_MD_size(md), SHA256_DIGEST_LENGTH) - || !TEST_int_eq(EVP_MD_block_size(md), SHA256_CBLOCK)) - goto err; - } else { - if (!TEST_ptr_null(md)) - goto err; - } - - EVP_MD_free(md); - md = NULL; - - /* - * Explicitly asking for a fips implementation should succeed if we have - * the FIPS provider loaded and fail otherwise - */ - md = EVP_MD_fetch(ctx, "SHA256", "fips=yes"); - if (tst == 3 || tst == 4) { - if (!TEST_ptr(md) - || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg), - exptd))) - goto err; - } else { - if (!TEST_ptr_null(md)) - goto err; - } - - - ret = 1; - - err: - EVP_MD_free(md); - OSSL_PROVIDER_unload(defltprov); - OSSL_PROVIDER_unload(fipsprov); - /* Not normally needed, but we would like to test that - * OPENSSL_thread_stop_ex() behaves as expected. - */ - if (ctx != NULL) - OPENSSL_thread_stop_ex(ctx); - OPENSSL_CTX_free(ctx); - return ret; -} - -static int encrypt_decrypt(const EVP_CIPHER *cipher, const unsigned char *msg, - size_t len) -{ - int ret = 0, ctlen, ptlen; - EVP_CIPHER_CTX *ctx = NULL; - unsigned char key[128 / 8]; - unsigned char ct[64], pt[64]; - - memset(key, 0, sizeof(key)); - if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) - || !TEST_int_eq(EVP_CIPHER_CTX_tag_length(ctx), 0) - || !TEST_true(EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, 1)) - || !TEST_int_eq(EVP_CIPHER_CTX_tag_length(ctx), 0) - || !TEST_true(EVP_CipherUpdate(ctx, ct, &ctlen, msg, len)) - || !TEST_true(EVP_CipherFinal_ex(ctx, ct, &ctlen)) - || !TEST_true(EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, 0)) - || !TEST_int_eq(EVP_CIPHER_CTX_tag_length(ctx), 0) - || !TEST_true(EVP_CipherUpdate(ctx, pt, &ptlen, ct, ctlen)) - || !TEST_true(EVP_CipherFinal_ex(ctx, pt, &ptlen)) - || !TEST_mem_eq(pt, ptlen, msg, len)) - goto err; - - ret = 1; - err: - EVP_CIPHER_CTX_free(ctx); - return ret; -} - -static int get_num_params(const OSSL_PARAM *params) -{ - int i = 0; - - if (params != NULL) { - while (params[i].key != NULL) - ++i; - ++i; - } - return i; -} - -/* - * Test EVP_CIPHER_fetch() - * - * Test 0: Test with the default OPENSSL_CTX - * Test 1: Test with an explicit OPENSSL_CTX - * Test 2: Explicit OPENSSL_CTX with explicit load of default provider - * Test 3: Explicit OPENSSL_CTX with explicit load of default and fips provider - * Test 4: Explicit OPENSSL_CTX with explicit load of fips provider - */ -static int test_EVP_CIPHER_fetch(int tst) -{ - OPENSSL_CTX *ctx = NULL; - EVP_CIPHER *cipher = NULL; - OSSL_PROVIDER *defltprov = NULL, *fipsprov = NULL; - int ret = 0; - const unsigned char testmsg[] = "Hello world"; - const OSSL_PARAM *params; - - if (tst > 0) { - ctx = OPENSSL_CTX_new(); - if (!TEST_ptr(ctx)) - goto err; - - if (tst == 2 || tst == 3) { - defltprov = OSSL_PROVIDER_load(ctx, "default"); - if (!TEST_ptr(defltprov)) - goto err; - } - if (tst == 3 || tst == 4) { - fipsprov = OSSL_PROVIDER_load(ctx, "fips"); - if (!TEST_ptr(fipsprov)) - goto err; - } - } - - /* Implicit fetching of the cipher should produce the expected result */ - if (!TEST_true(encrypt_decrypt(EVP_aes_128_cbc(), testmsg, sizeof(testmsg)))) - goto err; - - /* - * Test that without specifying any properties we can get a cipher from a - * provider. - */ - if (!TEST_ptr(cipher = EVP_CIPHER_fetch(ctx, "AES-128-CBC", NULL)) - || !TEST_true(encrypt_decrypt(cipher, testmsg, sizeof(testmsg)))) - goto err; - - /* Also test EVP_CIPHER_up_ref() while we're doing this */ - if (!TEST_true(EVP_CIPHER_up_ref(cipher))) - goto err; - /* Ref count should now be 2. Release both */ - EVP_CIPHER_free(cipher); - EVP_CIPHER_free(cipher); - cipher = NULL; - - /* - * In tests 0 - 2 we've only loaded the default provider so explicitly - * asking for a non-default implementation should fail. In tests 3 and 4 we - * have the FIPS provider loaded so we should succeed in that case. - */ - cipher = EVP_CIPHER_fetch(ctx, "AES-128-CBC", "default=no"); - if (tst == 3 || tst == 4) { - if (!TEST_ptr(cipher) - || !TEST_true(encrypt_decrypt(cipher, testmsg, sizeof(testmsg)))) - goto err; - } else { - if (!TEST_ptr_null(cipher)) - goto err; - } - - EVP_CIPHER_free(cipher); - cipher = NULL; - - /* - * Explicitly asking for the default implementation should succeed except - * in test 4 where the default provider is not loaded. - */ - cipher = EVP_CIPHER_fetch(ctx, "AES-128-CBC", "default=yes"); - if (tst != 4) { - if (!TEST_ptr(cipher) - || !TEST_int_eq(EVP_CIPHER_nid(cipher), NID_aes_128_cbc) - || !TEST_true(encrypt_decrypt(cipher, testmsg, sizeof(testmsg))) - || !TEST_int_eq(EVP_CIPHER_block_size(cipher), 128/8)) - goto err; - } else { - if (!TEST_ptr_null(cipher)) - goto err; - } - - EVP_CIPHER_free(cipher); - cipher = NULL; - - /* - * Explicitly asking for a fips implementation should succeed if we have - * the FIPS provider loaded and fail otherwise - */ - cipher = EVP_CIPHER_fetch(ctx, "AES-128-CBC", "fips=yes"); - if (tst == 3 || tst == 4) { - if (!TEST_ptr(cipher) - || !TEST_true(encrypt_decrypt(cipher, testmsg, sizeof(testmsg))) - || !TEST_ptr(params = cipher->gettable_params()) - || !TEST_int_gt(get_num_params(params), 1) - || !TEST_ptr(params = cipher->gettable_ctx_params()) - || !TEST_int_gt(get_num_params(params), 1) - || !TEST_ptr(params = cipher->settable_ctx_params()) - || !TEST_int_gt(get_num_params(params), 1)) - goto err; - } else { - if (!TEST_ptr_null(cipher)) - goto err; - } - - ret = 1; - - err: - EVP_CIPHER_free(cipher); - OSSL_PROVIDER_unload(defltprov); - OSSL_PROVIDER_unload(fipsprov); - /* Not normally needed, but we would like to test that - * OPENSSL_thread_stop_ex() behaves as expected. - */ - if (ctx != NULL) - OPENSSL_thread_stop_ex(ctx); - OPENSSL_CTX_free(ctx); - return ret; -} +#endif /* OPENSSL_NO_EC */ #ifndef OPENSSL_NO_DSA /* Test getting and setting parameters on an EVP_PKEY_CTX */ @@ -1540,13 +1215,6 @@ int setup_tests(void) ADD_ALL_TESTS(test_invalide_ec_char2_pub_range_decode, OSSL_NELEM(ec_der_pub_keys)); #endif -#ifdef NO_FIPS_MODULE - ADD_ALL_TESTS(test_EVP_MD_fetch, 3); - ADD_ALL_TESTS(test_EVP_CIPHER_fetch, 3); -#else - ADD_ALL_TESTS(test_EVP_MD_fetch, 5); - ADD_ALL_TESTS(test_EVP_CIPHER_fetch, 5); -#endif #ifndef OPENSSL_NO_DSA ADD_TEST(test_EVP_PKEY_CTX_get_set_params); #endif diff --git a/test/evp_fetch_prov_test.c b/test/evp_fetch_prov_test.c new file mode 100644 index 0000000000..3fd695e84b --- /dev/null +++ b/test/evp_fetch_prov_test.c @@ -0,0 +1,251 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <string.h> +#include <openssl/sha.h> +#include <openssl/evp.h> +#include <openssl/provider.h> +#include "testutil.h" + +static char *alg = "digest"; +static int use_default_ctx = 0; +static char *fetch_property = NULL; +static int expected_fetch_result = 1; + +typedef enum OPTION_choice { + OPT_ERR = -1, + OPT_EOF = 0, + OPT_ALG_FETCH_TYPE, + OPT_FETCH_PROPERTY, + OPT_FETCH_FAILURE, + OPT_USE_DEFAULTCTX, + OPT_TEST_ENUM +} OPTION_CHOICE; + +const OPTIONS *test_get_options(void) +{ + static const OPTIONS test_options[] = { + OPT_TEST_OPTIONS_WITH_EXTRA_USAGE("[provname...]\n"), + { "type", OPT_ALG_FETCH_TYPE, 's', "The fetch type to test" }, + { "property", OPT_FETCH_PROPERTY, 's', "The fetch property e.g. fips=yes" }, + { "fetchfail", OPT_FETCH_FAILURE, '-', "fetch is expected to fail" }, + { "defaultctx", OPT_USE_DEFAULTCTX, '-', + "Use the default context if this is set" }, + { OPT_HELP_STR, 1, '-', + "file\tProvider names to explicitly load\n" }, + { NULL } + }; + return test_options; +} + +static int calculate_digest(const EVP_MD *md, const char *msg, size_t len, + const unsigned char *exptd) +{ + unsigned char out[SHA256_DIGEST_LENGTH]; + EVP_MD_CTX *ctx; + int ret = 0; + + if (!TEST_ptr(ctx = EVP_MD_CTX_new()) + || !TEST_true(EVP_DigestInit_ex(ctx, md, NULL)) + || !TEST_true(EVP_DigestUpdate(ctx, msg, len)) + || !TEST_true(EVP_DigestFinal_ex(ctx, out, NULL)) + || !TEST_mem_eq(out, SHA256_DIGEST_LENGTH, exptd, + SHA256_DIGEST_LENGTH) + || !TEST_true(md == EVP_MD_CTX_md(ctx))) + goto err; + + ret = 1; + err: + EVP_MD_CTX_free(ctx); + return ret; +} + +static int load_providers(OPENSSL_CTX **libctx, OSSL_PROVIDER *prov[]) +{ + OPENSSL_CTX *ctx; + int ret = 0; + size_t i; + + ctx = OPENSSL_CTX_new(); + if (!TEST_ptr(ctx)) + goto err; + + if (test_get_argument_count() > 2) + goto err; + + for (i = 0; i < test_get_argument_count(); ++i) { + char *provname = test_get_argument(i); + prov[i] = OSSL_PROVIDER_load(ctx, provname); + if (!TEST_ptr(prov[i])) + goto err; + } + ret = 1; + *libctx = ctx; +err: + return ret; +} + +/* + * Test EVP_MD_fetch() + */ +static int test_EVP_MD_fetch(void) +{ + OPENSSL_CTX *ctx = NULL; + EVP_MD *md = NULL; + OSSL_PROVIDER *prov[2] = {NULL, NULL}; + int ret = 0; + const char testmsg[] = "Hello world"; + const unsigned char exptd[] = { + 0x27, 0x51, 0x8b, 0xa9, 0x68, 0x30, 0x11, 0xf6, 0xb3, 0x96, 0x07, 0x2c, + 0x05, 0xf6, 0x65, 0x6d, 0x04, 0xf5, 0xfb, 0xc3, 0x78, 0x7c, 0xf9, 0x24, + 0x90, 0xec, 0x60, 0x6e, 0x50, 0x92, 0xe3, 0x26 + }; + + if (use_default_ctx == 0 && !load_providers(&ctx, prov)) + goto err; + + /* Implicit fetching of the MD should produce the expected result */ + if (!TEST_true(calculate_digest(EVP_sha256(), testmsg, sizeof(testmsg), + exptd)) + || !TEST_int_eq(EVP_MD_size(EVP_sha256()), SHA256_DIGEST_LENGTH) + || !TEST_int_eq(EVP_MD_block_size(EVP_sha256()), SHA256_CBLOCK)) + goto err; + + /* Fetch the digest from a provider using properties. */ + md = EVP_MD_fetch(ctx, "SHA256", fetch_property); + if (expected_fetch_result != 0) { + if (!TEST_ptr(md) + || !TEST_int_eq(EVP_MD_nid(md), NID_sha256) + || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg), exptd)) + || !TEST_int_eq(EVP_MD_size(md), SHA256_DIGEST_LENGTH) + || !TEST_int_eq(EVP_MD_block_size(md), SHA256_CBLOCK)) + goto err; + + /* Also test EVP_MD_up_ref() while we're doing this */ + if (!TEST_true(EVP_MD_up_ref(md))) + goto err; + /* Ref count should now be 2. Release first one here */ + EVP_MD_meth_free(md); + } else { + if (!TEST_ptr_null(md)) + goto err; + } + ret = 1; + +err: + EVP_MD_meth_free(md); + OSSL_PROVIDER_unload(prov[0]); + OSSL_PROVIDER_unload(prov[1]); + /* Not normally needed, but we would like to test that + * OPENSSL_thread_stop_ex() behaves as expected. + */ + if (ctx != NULL) { + OPENSSL_thread_stop_ex(ctx); + OPENSSL_CTX_free(ctx); + } + return ret; +} + +static int encrypt_decrypt(const EVP_CIPHER *cipher, const unsigned char *msg, + size_t len) +{ + int ret = 0, ctlen, ptlen; + EVP_CIPHER_CTX *ctx = NULL; + unsigned char key[128 / 8]; + unsigned char ct[64], pt[64]; + + memset(key, 0, sizeof(key)); + if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) + || !TEST_true(EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, 1)) + || !TEST_true(EVP_CipherUpdate(ctx, ct, &ctlen, msg, len)) + || !TEST_true(EVP_CipherFinal_ex(ctx, ct, &ctlen)) + || !TEST_true(EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, 0)) + || !TEST_true(EVP_CipherUpdate(ctx, pt, &ptlen, ct, ctlen)) + || !TEST_true(EVP_CipherFinal_ex(ctx, pt, &ptlen)) + || !TEST_mem_eq(pt, ptlen, msg, len)) + goto err; + + ret = 1; +err: + EVP_CIPHER_CTX_free(ctx); + return ret; +} + +/* + * Test EVP_CIPHER_fetch() + */ +static int test_EVP_CIPHER_fetch(void) +{ + OPENSSL_CTX *ctx = NULL; + EVP_CIPHER *cipher = NULL; + OSSL_PROVIDER *prov[2] = {NULL, NULL}; + int ret = 0; + const unsigned char testmsg[] = "Hello world"; + + if (use_default_ctx == 0 && !load_providers(&ctx, prov)) + goto err; + + /* Implicit fetching of the cipher should produce the expected result */ + if (!TEST_true(encrypt_decrypt(EVP_aes_128_cbc(), testmsg, sizeof(testmsg)))) + goto err; + + /* Fetch the cipher from a provider using properties. */ + cipher = EVP_CIPHER_fetch(ctx, "AES-128-CBC", fetch_property); + if (expected_fetch_result != 0) { + if (!TEST_ptr(cipher) + || !TEST_true(encrypt_decrypt(cipher, testmsg, sizeof(testmsg)))) { + if (!TEST_true(EVP_CIPHER_up_ref(cipher))) + goto err; + /* Ref count should now be 2. Release first one here */ + EVP_CIPHER_meth_free(cipher); + } + } else { + if (!TEST_ptr_null(cipher)) + goto err; + } + ret = 1; +err: + EVP_CIPHER_meth_free(cipher); + OSSL_PROVIDER_unload(prov[0]); + OSSL_PROVIDER_unload(prov[1]); + OPENSSL_CTX_free(ctx); + return ret; +} + +int setup_tests(void) +{ + OPTION_CHOICE o; + + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_ALG_FETCH_TYPE: + alg = opt_arg(); + break; + case OPT_FETCH_PROPERTY: + fetch_property = opt_arg(); + break; + case OPT_FETCH_FAILURE: + expected_fetch_result = 0; + break; + case OPT_USE_DEFAULTCTX: + use_default_ctx = 1; + break; + case OPT_TEST_CASES: + break; + default: + case OPT_ERR: + return 0; + } + } + if (strcmp(alg, "digest") == 0) + ADD_TEST(test_EVP_MD_fetch); + else + ADD_TEST(test_EVP_CIPHER_fetch); + return 1; +} diff --git a/test/fips.cnf b/test/fips.cnf index 0578c8481f..d77d35b99f 100644 --- a/test/fips.cnf +++ b/test/fips.cnf @@ -1,10 +1,9 @@ openssl_conf = openssl_init +.include fipsinstall.conf + [openssl_init] providers = provider_sect [provider_sect] fips = fips_sect - -[fips_sect] -activate = 1 diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index 7e0be81b1e..e99299ffc4 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -10,10 +10,16 @@ use strict; use warnings; -use OpenSSL::Test qw(:DEFAULT data_file bldtop_dir srctop_file); +use OpenSSL::Test qw(:DEFAULT data_file bldtop_dir srctop_file srctop_dir bldtop_file); use OpenSSL::Test::Utils; +BEGIN { setup("test_evp"); +} + +use lib srctop_dir('Configurations'); +use lib bldtop_dir('.'); +use platform; # Default config depends on if the legacy module is built or not my $defaultcnf = disabled('legacy') ? 'default.cnf' : 'default-and-legacy.cnf'; @@ -27,7 +33,17 @@ my @defltfiles = qw( evpencod.txt evpkdf.txt evppkey_kdf.txt evpmac.txt evppbe.txt evppkey.txt evppkey_ecc.txt evpcase.txt evpaessiv.txt evpccmcavs.txt ); -plan tests => (scalar(@configs) * scalar(@files)) + scalar(@defltfiles); +plan tests => (scalar(@configs) * scalar(@files)) + scalar(@defltfiles) + 1; + +my $infile = bldtop_file('providers', platform->dso('fips')); +$ENV{OPENSSL_MODULES} = bldtop_dir("providers"); +$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers"); + +ok(run(app(['openssl', 'fipsinstall', '-out', bldtop_file('providers', 'fipsinstall.conf'), + '-module', $infile, + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', + '-section_name', 'fips_sect'])), "fipinstall"); foreach (@configs) { $ENV{OPENSSL_CONF} = srctop_file("test", $_); diff --git a/test/recipes/30-test_evp_fetch_prov.t b/test/recipes/30-test_evp_fetch_prov.t new file mode 100644 index 0000000000..4aa1a1019d --- /dev/null +++ b/test/recipes/30-test_evp_fetch_prov.t @@ -0,0 +1,79 @@ +#! /usr/bin/env perl +# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use warnings; + +use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir bldtop_file); +use OpenSSL::Test::Utils; + +BEGIN { +setup("test_evp_fetch_prov"); +} + +use lib srctop_dir('Configurations'); +use lib bldtop_dir('.'); +use platform; + +my @types = ( "digest", "cipher" ); + +plan tests => 2 + 16 * scalar(@types); + +$ENV{OPENSSL_MODULES} = bldtop_dir("providers"); +$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers"); + +my $infile = bldtop_file('providers', platform->dso('fips')); +ok(run(app(['openssl', 'fipsinstall', '-out', bldtop_file('providers', 'fipsinstall.conf'), + '-module', $infile, + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', + '-section_name', 'fips_sect'])), "fipinstall"); + +# Do implicit fetch using the default context +ok(run(test(["evp_fetch_prov_test", "-defaultctx"])), + "running evp_fetch_prov_test using implicit fetch using the default libctx"); + +foreach my $alg(@types) { + $ENV{OPENSSL_CONF} = srctop_file("test", "default.cnf"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg"])), + "running evp_fetch_prov_test using implicit fetch using a created libctx"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "default"])), + "running evp_fetch_prov_test with implicit fetch using default provider loaded"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "default=yes", "default"])), + "running evp_fetch_prov_test with $alg fetch 'default=yes' using default provider loaded"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "fips=no", "default"])), + "running evp_fetch_prov_test with $alg fetch 'fips=no' using default provider loaded"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "default=no", "-fetchfail", "default"])), + "running evp_fetch_prov_test with $alg fetch 'default=no' using default provider loaded should fail"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "fips=yes", "-fetchfail", "default"])), + "running evp_fetch_prov_test with $alg fetch 'fips=yes' using default provider loaded should fail"); + + $ENV{OPENSSL_CONF} = srctop_file("test", "fips.cnf"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "", "fips"])), + "running evp_fetch_prov_test with $alg fetch '' using loaded fips provider"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "fips=yes", "fips"])), + "running evp_fetch_prov_test with $alg fetch 'fips=yes' using loaded fips provider"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "default=no", "fips"])), + "running evp_fetch_prov_test with $alg fetch 'default=no' using loaded fips provider"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "default=yes", "-fetchfail", "fips"])), + "running evp_fetch_prov_test with $alg fetch 'default=yes' using loaded fips provider should fail"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "fips=no", "-fetchfail", "fips"])), + "running evp_fetch_prov_test with $alg fetch 'fips=no' using loaded fips provider should fail"); + + $ENV{OPENSSL_CONF} = srctop_file("test", "default-and-fips.cnf"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "", "default", "fips"])), + "running evp_fetch_prov_test with $alg fetch '' using loaded default & fips provider"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "default=no", "default", "fips"])), + "running evp_fetch_prov_test with $alg fetch 'default=no' using loaded default & fips provider"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "default=yes", "default", "fips"])), + "running evp_fetch_prov_test with $alg fetch 'default=yes' using loaded default & fips provider"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "fips=no", "default", "fips"])), + "running evp_fetch_prov_test with $alg fetch 'fips=no' using loaded default & fips provider"); + ok(run(test(["evp_fetch_prov_test", "-type", "$alg", "-property", "fips=yes", "default", "fips"])), + "running evp_fetch_prov_test with $alg fetch 'fips=yes' using loaded default & fips provider"); +}
\ No newline at end of file |