diff options
| author | Pauli <pauli@openssl.org> | 2022-09-22 08:21:58 +0300 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2022-11-02 00:42:46 +0300 |
| commit | 6e38ac39bbf2bc899485c5f710a2ced6238b1ea1 (patch) | |
| tree | 8436b61079e74cc81b4aa2040c354069f238c704 | |
| parent | 464c1011b02936850fc779739013dba52650840a (diff) | |
Update fipsinstall tests
Co-authored-by: Randall Steck <rsteck@thinqsoft.com>
Co-authored-by: Mark J. Minnoch <mark@keypair.us>
Co-authored-by: Steve Weymann <steve@keypair.us>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19510)
| -rw-r--r-- | test/recipes/03-test_fipsinstall.t | 97 |
1 files changed, 67 insertions, 30 deletions
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t index 007e1be821..29a6ccfe59 100644 --- a/test/recipes/03-test_fipsinstall.t +++ b/test/recipes/03-test_fipsinstall.t @@ -24,10 +24,11 @@ use platform; plan skip_all => "Test only supported in a fips build" if disabled("fips"); -plan tests => 29; +plan tests => 30; my $infile = bldtop_file('providers', platform->dso('fips')); my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00'; +my $provconf = srctop_file("test", "fips-and-base.cnf"); # Read in a text $infile and replace the regular expression in $srch with the # value in $repl and output to a new file $outfile. @@ -226,10 +227,33 @@ SKIP: { "fipsinstall fails when the kas result is corrupted"); } -# corrupt a Signature test +# corrupt a Signature test - 140-3 requires a known answer test SKIP: { skip "Skipping Signature DSA corruption test because of no dsa in this build", 1 if disabled("dsa"); + + run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), + capture => 1, statusvar => \my $exit); + skip "FIPS provider version is too old for KAT DSA signature test", 1 + if !$exit; + ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", + '-section_name', 'fips_sect', + '-corrupt_desc', 'DSA', + '-corrupt_type', 'KAT_Signature'])), + "fipsinstall fails when the signature result is corrupted"); +} + +# corrupt a Signature test - 140-2 allows a pairwise consistency test +SKIP: { + skip "Skipping Signature DSA corruption test because of no dsa in this build", 1 + if disabled("dsa"); + + run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), + capture => 1, statusvar => \my $exit); + skip "FIPS provider version is too new for KAT DSA signature test", 1 + if !$exit; ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", @@ -262,24 +286,31 @@ ok(replace_parent_line_file('fips_no_module_mac.cnf', '-config', 'fips_parent_no_module_mac.cnf'])), "verify load config fail no module mac"); -ok(replace_parent_line_file('fips_no_install_mac.cnf', - 'fips_parent_no_install_mac.cnf') - && !run(app(['openssl', 'fipsinstall', - '-config', 'fips_parent_no_install_mac.cnf'])), - "verify load config fail no install mac"); - -ok(replace_parent_line_file('fips_bad_indicator.cnf', - 'fips_parent_bad_indicator.cnf') - && !run(app(['openssl', 'fipsinstall', - '-config', 'fips_parent_bad_indicator.cnf'])), - "verify load config fail bad indicator"); - - -ok(replace_parent_line_file('fips_bad_install_mac.cnf', - 'fips_parent_bad_install_mac.cnf') - && !run(app(['openssl', 'fipsinstall', - '-config', 'fips_parent_bad_install_mac.cnf'])), - "verify load config fail bad install mac"); +SKIP: { + run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), + capture => 1, statusvar => \my $exit); + skip "FIPS provider version doesn't support self test indicator", 3 + if !$exit; + + ok(replace_parent_line_file('fips_no_install_mac.cnf', + 'fips_parent_no_install_mac.cnf') + && !run(app(['openssl', 'fipsinstall', + '-config', 'fips_parent_no_install_mac.cnf'])), + "verify load config fail no install mac"); + + ok(replace_parent_line_file('fips_bad_indicator.cnf', + 'fips_parent_bad_indicator.cnf') + && !run(app(['openssl', 'fipsinstall', + '-config', 'fips_parent_bad_indicator.cnf'])), + "verify load config fail bad indicator"); + + + ok(replace_parent_line_file('fips_bad_install_mac.cnf', + 'fips_parent_bad_install_mac.cnf') + && !run(app(['openssl', 'fipsinstall', + '-config', 'fips_parent_bad_install_mac.cnf'])), + "verify load config fail bad install mac"); +} ok(replace_parent_line_file('fips_bad_module_mac.cnf', 'fips_parent_bad_module_mac.cnf') @@ -287,17 +318,23 @@ ok(replace_parent_line_file('fips_bad_module_mac.cnf', '-config', 'fips_parent_bad_module_mac.cnf'])), "verify load config fail bad module mac"); +SKIP: { + run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), + capture => 1, statusvar => \my $exit); + skip "FIPS provider version doesn't support self test indicator", 3 + if !$exit; -my $stconf = "fipsmodule_selftest.cnf"; + my $stconf = "fipsmodule_selftest.cnf"; -ok(run(app(['openssl', 'fipsinstall', '-out', $stconf, - '-module', $infile, '-self_test_onload'])), - "fipsinstall config saved without self test indicator"); + ok(run(app(['openssl', 'fipsinstall', '-out', $stconf, + '-module', $infile, '-self_test_onload'])), + "fipsinstall config saved without self test indicator"); -ok(!run(app(['openssl', 'fipsinstall', '-in', $stconf, - '-module', $infile, '-verify'])), - "fipsinstall config verify fails without self test indicator"); + ok(!run(app(['openssl', 'fipsinstall', '-in', $stconf, + '-module', $infile, '-verify'])), + "fipsinstall config verify fails without self test indicator"); -ok(run(app(['openssl', 'fipsinstall', '-in', $stconf, - '-module', $infile, '-self_test_onload', '-verify'])), - "fipsinstall config verify passes when self test indicator is not present"); + ok(run(app(['openssl', 'fipsinstall', '-in', $stconf, + '-module', $infile, '-self_test_onload', '-verify'])), + "fipsinstall config verify passes when self test indicator is not present"); +} |