diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2020-09-05 06:08:27 +0300 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-09-18 16:20:50 +0300 |
commit | 991a6bb58182d4d2077a68eb813c897b7de73462 (patch) | |
tree | 738fc724534be090323181dc445cf19e442b827c /test | |
parent | 7a810fac866c6c1d93015999633ee2a29f17b3d2 (diff) |
Add option to fipsinstall to disable fips security checks at run time.
Changes merged from a patch by @richsalz.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12745)
Diffstat (limited to 'test')
-rw-r--r-- | test/evp_test.c | 40 | ||||
-rw-r--r-- | test/recipes/30-test_evp_data/evppkey_rsa.txt | 2 |
2 files changed, 37 insertions, 5 deletions
diff --git a/test/evp_test.c b/test/evp_test.c index 14ea4a8496..a146f4726f 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -21,6 +21,7 @@ #include <openssl/kdf.h> #include <openssl/params.h> #include <openssl/core_names.h> +#include <openssl/fips_names.h> #include "internal/numbers.h" #include "internal/nelem.h" #include "crypto/evp.h" @@ -3286,6 +3287,33 @@ static char *take_value(PAIR *pp) return p; } +static int securitycheck_enabled(void) +{ + static int enabled = -1; + + if (enabled == -1) { + if (OSSL_PROVIDER_available(libctx, "fips")) { + OSSL_PARAM params[2]; + OSSL_PROVIDER *prov = NULL; + int check = 1; + + prov = OSSL_PROVIDER_load(libctx, "fips"); + if (prov != NULL) { + params[0] = + OSSL_PARAM_construct_int(OSSL_PROV_PARAM_SECURITY_CHECKS, + &check); + params[1] = OSSL_PARAM_construct_end(); + OSSL_PROVIDER_get_params(prov, params); + OSSL_PROVIDER_unload(prov); + } + enabled = check; + return enabled; + } + enabled = 0; + } + return enabled; +} + /* * Return 1 if one of the providers named in the string is available. * The provider names are separated with whitespace. @@ -3445,11 +3473,15 @@ start: for (pp++, i = 1; i < (t->s.numpairs - skip_availablein); pp++, i++) { if (strcmp(pp->key, "Securitycheck") == 0) { #if defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - TEST_info("skipping, securitycheck is not available: %s:%d", - t->s.test_file, t->s.start); - t->skip = 1; - return 0; +#else + if (!securitycheck_enabled()) #endif + { + TEST_info("skipping, Securitycheck is disabled: %s:%d", + t->s.test_file, t->s.start); + t->skip = 1; + return 0; + } } else if (strcmp(pp->key, "Availablein") == 0) { TEST_info("Line %d: 'Availablein' should be the first option", t->s.curr); diff --git a/test/recipes/30-test_evp_data/evppkey_rsa.txt b/test/recipes/30-test_evp_data/evppkey_rsa.txt index 15065cee77..4354bd649a 100644 --- a/test/recipes/30-test_evp_data/evppkey_rsa.txt +++ b/test/recipes/30-test_evp_data/evppkey_rsa.txt @@ -14,7 +14,7 @@ # Private keys used for PKEY operations. -# Any Tests that keys <2048 bits OR sign with SHA1 are in this file. +# Any Tests that have keys < 2048 bits OR sign with SHA1 are in this file. # RSA 2048 bit key. |