test: update ssl_new tests in line with pedantic FIPS policy

Add a new option to the `test' section of SSL test data structure. This contains a space separated list of version checks, all of which must pass. Note that the version checks are as they as because: - 3.1.0 doesn't have mandatory EMS support, so it can run the old tests. - 3.1.1 (& later) will have mandatory EMS support, so they can't run them. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20762) (cherry picked from commit 4454c20f02)
2023-04-18 14:41:17 +10:00 · 2023-04-18 14:41:17 +10:00 · 3375ae4184
parent 313849eeb7
commit 3375ae4184
5 changed files with 29 additions and 0 deletions
--- a/test/helpers/ssl_test_ctx.c
+++ b/test/helpers/ssl_test_ctx.c
@ -639,6 +639,9 @@ IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, enable_pha)
 IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_SERVER_CONF, server, force_pha)
 IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, no_extms_on_reneg)

+/* FIPS provider version limiting */
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, fips_version)
+
 /* Known test options and their corresponding parse methods. */

 /* Top-level options. */
@ -678,6 +681,7 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
    { "EnableServerSCTPLabelBug", &parse_test_enable_server_sctp_label_bug },
    { "ExpectedCipher", &parse_test_expected_cipher },
    { "ExpectedSessionTicketAppData", &parse_test_expected_session_ticket_app_data },
+    { "FIPSversion", &parse_test_fips_version },
 };

 /* Nested client options. */
@ -767,6 +771,7 @@ void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx)
    sk_X509_NAME_pop_free(ctx->expected_server_ca_names, X509_NAME_free);
    sk_X509_NAME_pop_free(ctx->expected_client_ca_names, X509_NAME_free);
    OPENSSL_free(ctx->expected_cipher);
+    OPENSSL_free(ctx->fips_version);
    OPENSSL_free(ctx);
 }

--- a/test/helpers/ssl_test_ctx.h
+++ b/test/helpers/ssl_test_ctx.h
@ -228,6 +228,9 @@ typedef struct {
    char *expected_session_ticket_app_data;

    OSSL_LIB_CTX *libctx;
+
+    /* FIPS version string to check for compatibility */
+    char *fips_version;
 } SSL_TEST_CTX;

 const char *ssl_test_result_name(ssl_test_result_t result);
--- a/test/ssl-tests/30-extended-master-secret.cnf
+++ b/test/ssl-tests/30-extended-master-secret.cnf
@ -32,6 +32,7 @@ VerifyMode = Peer

 [test-0]
 ExpectedResult = Success
+FIPSversion = <=3.1.0


 # ===========================================================
@ -57,6 +58,7 @@ VerifyMode = Peer

 [test-1]
 ExpectedResult = Success
+FIPSversion = <=3.1.0


 # ===========================================================
@ -83,6 +85,7 @@ VerifyMode = Peer

 [test-2]
 ExpectedResult = Success
+FIPSversion = <=3.1.0


 # ===========================================================
@ -122,6 +125,7 @@ VerifyMode = Peer

 [test-3]
 ExpectedResult = Success
+FIPSversion = <=3.1.0
 HandshakeMode = Resume


@ -148,6 +152,7 @@ VerifyMode = Peer

 [test-4]
 ExpectedResult = Success
+FIPSversion = <=3.1.0


 # ===========================================================
@ -173,6 +178,7 @@ VerifyMode = Peer

 [test-5]
 ExpectedResult = Success
+FIPSversion = <=3.1.0


 # ===========================================================
@ -199,5 +205,6 @@ VerifyMode = Peer

 [test-6]
 ExpectedResult = Success
+FIPSversion = <=3.1.0


--- a/test/ssl-tests/30-extended-master-secret.cnf.in
+++ b/test/ssl-tests/30-extended-master-secret.cnf.in
@ -27,6 +27,7 @@ my @tests_tls1_2 = (
        },
        test   => {
          "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
        },
    },
    {
@ -40,6 +41,7 @@ my @tests_tls1_2 = (
        },
        test   => {
          "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
        },
    },
    {
@ -54,6 +56,7 @@ my @tests_tls1_2 = (
        },
        test   => {
          "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
        },
    },
    {
@ -75,6 +78,7 @@ my @tests_tls1_2 = (
        test   => {
 	  "HandshakeMode" => "Resume",
          "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
        },
    },
    {
@ -88,6 +92,7 @@ my @tests_tls1_2 = (
        },
        test   => {
          "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
        },
    },
    {
@ -101,6 +106,7 @@ my @tests_tls1_2 = (
        },
        test   => {
          "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
        },
    },
    {
@ -115,6 +121,7 @@ my @tests_tls1_2 = (
        },
        test   => {
          "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
        },
    },
 );
--- a/test/ssl_test.c
+++ b/test/ssl_test.c
@ -406,6 +406,13 @@ static int test_handshake(int idx)
    if (!TEST_ptr(test_ctx))
        goto err;

+    /* Verify that the FIPS provider supports this test */
+    if (test_ctx->fips_version != NULL
+                && !fips_provider_version_match(libctx, test_ctx->fips_version)) {
+            ret = TEST_skip("FIPS provider unable to run this test");
+            goto err;
+    }
+
 #ifndef OPENSSL_NO_DTLS
    if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
        server_ctx = SSL_CTX_new_ex(libctx, NULL, DTLS_server_method());