test: update ssl_new tests in line with pedantic FIPS policy

Add a new option to the `test' section of SSL test data structure.
This contains a space separated list of version checks, all of which must
pass.

Note that the version checks are as they as because:

- 3.1.0 doesn't have mandatory EMS support, so it can run the old tests.
- 3.1.1 (& later) will have mandatory EMS support, so they can't run them.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)

(cherry picked from commit 4454c20f02)

test/helpers/ssl_test_ctx.c

@@ -639,6 +639,9 @@ IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, enable_pha)
 IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_SERVER_CONF, server, force_pha)
 IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, no_extms_on_reneg)
 
+/* FIPS provider version limiting */
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, fips_version)
+
 /* Known test options and their corresponding parse methods. */
 
 /* Top-level options. */
@@ -678,6 +681,7 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = {
     { "EnableServerSCTPLabelBug", &parse_test_enable_server_sctp_label_bug },
     { "ExpectedCipher", &parse_test_expected_cipher },
     { "ExpectedSessionTicketAppData", &parse_test_expected_session_ticket_app_data },
+    { "FIPSversion", &parse_test_fips_version },
 };
 
 /* Nested client options. */
@@ -767,6 +771,7 @@ void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx)
     sk_X509_NAME_pop_free(ctx->expected_server_ca_names, X509_NAME_free);
     sk_X509_NAME_pop_free(ctx->expected_client_ca_names, X509_NAME_free);
     OPENSSL_free(ctx->expected_cipher);
+    OPENSSL_free(ctx->fips_version);
     OPENSSL_free(ctx);
 }
 

test/helpers/ssl_test_ctx.h

@@ -228,6 +228,9 @@ typedef struct {
     char *expected_session_ticket_app_data;
 
     OSSL_LIB_CTX *libctx;
+
+    /* FIPS version string to check for compatibility */
+    char *fips_version;
 } SSL_TEST_CTX;
 
 const char *ssl_test_result_name(ssl_test_result_t result);

test/ssl-tests/30-extended-master-secret.cnf

@@ -32,6 +32,7 @@ VerifyMode = Peer
 
 [test-0]
 ExpectedResult = Success
+FIPSversion = <=3.1.0
 
 
 # ===========================================================
@@ -57,6 +58,7 @@ VerifyMode = Peer
 
 [test-1]
 ExpectedResult = Success
+FIPSversion = <=3.1.0
 
 
 # ===========================================================
@@ -83,6 +85,7 @@ VerifyMode = Peer
 
 [test-2]
 ExpectedResult = Success
+FIPSversion = <=3.1.0
 
 
 # ===========================================================
@@ -122,6 +125,7 @@ VerifyMode = Peer
 
 [test-3]
 ExpectedResult = Success
+FIPSversion = <=3.1.0
 HandshakeMode = Resume
 
 
@@ -148,6 +152,7 @@ VerifyMode = Peer
 
 [test-4]
 ExpectedResult = Success
+FIPSversion = <=3.1.0
 
 
 # ===========================================================
@@ -173,6 +178,7 @@ VerifyMode = Peer
 
 [test-5]
 ExpectedResult = Success
+FIPSversion = <=3.1.0
 
 
 # ===========================================================
@@ -199,5 +205,6 @@ VerifyMode = Peer
 
 [test-6]
 ExpectedResult = Success
+FIPSversion = <=3.1.0
 
 

test/ssl-tests/30-extended-master-secret.cnf.in

@@ -27,6 +27,7 @@ my @tests_tls1_2 = (
         },
         test   => {
           "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
         },
     },
     {
@@ -40,6 +41,7 @@ my @tests_tls1_2 = (
         },
         test   => {
           "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
         },
     },
     {
@@ -54,6 +56,7 @@ my @tests_tls1_2 = (
         },
         test   => {
           "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
         },
     },
     {
@@ -75,6 +78,7 @@ my @tests_tls1_2 = (
         test   => {
 	  "HandshakeMode" => "Resume",
           "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
         },
     },
     {
@@ -88,6 +92,7 @@ my @tests_tls1_2 = (
         },
         test   => {
           "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
         },
     },
     {
@@ -101,6 +106,7 @@ my @tests_tls1_2 = (
         },
         test   => {
           "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
         },
     },
     {
@@ -115,6 +121,7 @@ my @tests_tls1_2 = (
         },
         test   => {
           "ExpectedResult" => "Success",
+          "FIPSversion" => "<=3.1.0",
         },
     },
 );

test/ssl_test.c

@@ -406,6 +406,13 @@ static int test_handshake(int idx)
     if (!TEST_ptr(test_ctx))
         goto err;
 
+    /* Verify that the FIPS provider supports this test */
+    if (test_ctx->fips_version != NULL
+                && !fips_provider_version_match(libctx, test_ctx->fips_version)) {
+            ret = TEST_skip("FIPS provider unable to run this test");
+            goto err;
+    }
+
 #ifndef OPENSSL_NO_DTLS
     if (test_ctx->method == SSL_TEST_METHOD_DTLS) {
         server_ctx = SSL_CTX_new_ex(libctx, NULL, DTLS_server_method());