diff options
-rw-r--r-- | test/recipes/90-test_sslprovider.t | 38 | ||||
-rw-r--r-- | test/sslprovidertest.c | 66 |
2 files changed, 83 insertions, 21 deletions
diff --git a/test/recipes/90-test_sslprovider.t b/test/recipes/90-test_sslprovider.t index 9781091bba..f0ff38a386 100644 --- a/test/recipes/90-test_sslprovider.t +++ b/test/recipes/90-test_sslprovider.t @@ -8,14 +8,46 @@ use OpenSSL::Test::Utils; -use OpenSSL::Test qw/:DEFAULT srctop_dir/; +use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_file bldtop_dir/; +BEGIN { setup("test_sslprovider"); +} + +use lib srctop_dir('Configurations'); +use lib bldtop_dir('.'); +use platform; plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); -plan tests => 1; +plan tests => 3; + +$ENV{OPENSSL_MODULES} = bldtop_dir("providers"); +$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers"); + +SKIP: { + skip "Skipping FIPS installation", 1 + if disabled("fips"); -ok(run(test(["sslprovidertest", srctop_dir("test", "certs")])), + ok(run(app(['openssl', 'fipsinstall', + '-out', bldtop_file('providers', 'fipsinstall.cnf'), + '-module', bldtop_file('providers', platform->dso('fips')), + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', + '-section_name', 'fips_sect'])), + "fipsinstall"); +} + +ok(run(test(["sslprovidertest", srctop_dir("test", "certs"), "default", + srctop_file("test", "default.cnf")])), "running sslprovidertest"); + +SKIP: { + skip "Skipping FIPS provider test", 1 + if disabled("fips"); + + ok(run(test(["sslprovidertest", srctop_dir("test", "certs"), "fips", + srctop_file("test", "fips.cnf")])), + "running sslprovidertest"); +} diff --git a/test/sslprovidertest.c b/test/sslprovidertest.c index 76a6f8f6b2..5f78554fb9 100644 --- a/test/sslprovidertest.c +++ b/test/sslprovidertest.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include <string.h> #include <openssl/provider.h> #include "ssltestlib.h" @@ -14,9 +15,10 @@ static char *cert = NULL; static char *privkey = NULL; +static char *modulename = NULL; +static char *configfile = NULL; -/* TODO(3.0): Re-enable this code. See comment in setup_tests() */ -OSSL_PROVIDER *defctxlegacy = NULL; +static OSSL_PROVIDER *defctxlegacy = NULL; static int test_different_libctx(void) { @@ -24,10 +26,29 @@ static int test_different_libctx(void) SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; OPENSSL_CTX *libctx = OPENSSL_CTX_new(); + OSSL_PROVIDER *prov = NULL; - /* Verify that the default provider in the default libctx is not available */ - if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))) + /* + * Verify that the default and fips providers in the default libctx are not + * available + */ + if (!TEST_false(OSSL_PROVIDER_available(NULL, "default")) + || !TEST_false(OSSL_PROVIDER_available(NULL, "fips"))) + goto end; + + if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile))) + goto end; + + prov = OSSL_PROVIDER_load(libctx, modulename); + if (!TEST_ptr(prov) + /* Check we have the provider available */ + || !TEST_true(OSSL_PROVIDER_available(libctx, modulename))) + goto end; + /* Check the default provider is not available */ + if (strcmp(modulename, "default") != 0 + && !TEST_false(OSSL_PROVIDER_available(libctx, "default"))) goto end; + TEST_note("%s provider loaded", modulename); cctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_client_method()); if (!TEST_ptr(cctx)) @@ -62,10 +83,11 @@ static int test_different_libctx(void) goto end; /* - * Verify that the default provider in the default libctx is still not - * available + * Verify that the default and fips providers in the default libctx are + * still not available */ - if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))) + if (!TEST_false(OSSL_PROVIDER_available(NULL, "default")) + || !TEST_false(OSSL_PROVIDER_available(NULL, "fips"))) goto end; testresult = 1; @@ -76,6 +98,7 @@ static int test_different_libctx(void) SSL_CTX_free(sctx); SSL_CTX_free(cctx); + OSSL_PROVIDER_unload(prov); OPENSSL_CTX_free(libctx); return testresult; @@ -84,17 +107,15 @@ static int test_different_libctx(void) int setup_tests(void) { char *certsdir = NULL; - /* - * For tests in this file we want to ensure the default ctx does not have - * the default provider loaded into the default ctx. So we load "legacy" to - * prevent default from being auto-loaded. This tests that there is no - * "leakage", i.e. when using SSL_CTX_new_with_libctx() we expect only the - * specific libctx to be used - nothing should fall back to the default - * libctx - */ - defctxlegacy = OSSL_PROVIDER_load(NULL, "legacy"); - if (!TEST_ptr(certsdir = test_get_argument(0))) + if (!test_skip_common_options()) { + TEST_error("Error parsing test options\n"); + return 0; + } + + if (!TEST_ptr(certsdir = test_get_argument(0)) + || !TEST_ptr(modulename = test_get_argument(1)) + || !TEST_ptr(configfile = test_get_argument(2))) return 0; cert = test_mk_file_path(certsdir, "servercert.pem"); @@ -107,6 +128,16 @@ int setup_tests(void) return 0; } + /* + * For tests in this file we want to ensure the default ctx does not have + * the default provider loaded into the default ctx. So we load "legacy" to + * prevent default from being auto-loaded. This tests that there is no + * "leakage", i.e. when using SSL_CTX_new_with_libctx() we expect only the + * specific libctx to be used - nothing should fall back to the default + * libctx + */ + defctxlegacy = OSSL_PROVIDER_load(NULL, "legacy"); + ADD_TEST(test_different_libctx); return 1; @@ -114,6 +145,5 @@ int setup_tests(void) void cleanup_tests(void) { - /* TODO(3.0): Re-enable this code. See comment in setup_tests() */ OSSL_PROVIDER_unload(defctxlegacy); } |