[openssl] master update
Matt Caswell
matt at openssl.org
Sun Apr 19 13:47:45 UTC 2020
The branch master has been updated
via c0bfc473d80ef2e053032510149d9e5b9d81dd72 (commit)
via 4f6c704495248d4e61b7668201e3bef47a45e35f (commit)
via 5e30f2fd58bac0db5c23e33e865fa70bd6eb4349 (commit)
from 09ec5e6f5d08a854d40e4a1847759fc6a5793ec6 (commit)
- Log -----------------------------------------------------------------
commit c0bfc473d80ef2e053032510149d9e5b9d81dd72
Author: Matt Caswell <matt at openssl.org>
Date: Fri Apr 10 16:32:16 2020 +0100
Use the libctx for all EVP_PKEY_CTX operations
There were a few places where we were not passing through the libctx
when constructing and EVP_PKEY_CTX.
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11508)
commit 4f6c704495248d4e61b7668201e3bef47a45e35f
Author: Matt Caswell <matt at openssl.org>
Date: Sat Mar 21 00:39:27 2020 +0000
Re-enable FIPS testing in sslapitest.c
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11508)
commit 5e30f2fd58bac0db5c23e33e865fa70bd6eb4349
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 18 17:17:37 2020 +0000
Use a non-default libctx in sslapitest
We also don't load the default provider into the default libctx to make
sure there is no accidental "leakage".
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11508)
-----------------------------------------------------------------------
Summary of changes:
ssl/s3_lib.c | 51 +-------
ssl/ssl_local.h | 1 +
ssl/t1_lib.c | 70 +++++------
test/asynciotest.c | 3 +-
test/dtlstest.c | 8 +-
test/fatalerrtest.c | 2 +-
test/gosttest.c | 2 +-
test/recipes/90-test_sslapi.t | 36 +++++-
test/recordlentest.c | 3 +-
test/servername_test.c | 2 +-
test/sslapitest.c | 272 +++++++++++++++++++++++++++---------------
test/sslbuffertest.c | 2 +-
test/sslcorrupttest.c | 3 +-
test/sslprovidertest.c | 12 +-
test/ssltestlib.c | 7 +-
test/ssltestlib.h | 8 +-
test/tls13ccstest.c | 4 +-
17 files changed, 276 insertions(+), 210 deletions(-)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index a99522a006..fde68943a9 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4739,40 +4739,10 @@ EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
goto err;
}
gtype = ginf->flags & TLS_GROUP_TYPE;
- /*
- * TODO(3.0): Convert these EVP_PKEY_CTX_new_id calls to ones that take
- * s->ctx->libctx and s->ctx->propq when keygen has been updated to be
- * provider aware.
- */
-# ifndef OPENSSL_NO_DH
- if (gtype == TLS_GROUP_FFDHE)
-# if 0
- pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq);
-# else
- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, NULL);
-# endif
-# ifndef OPENSSL_NO_EC
- else
-# endif /* OPENSSL_NO_EC */
-# endif /* OPENSSL_NO_DH */
-# ifndef OPENSSL_NO_EC
- {
- /*
- * TODO(3.0): When provider based EC key gen is present we can enable
- * this code.
- */
- if (gtype == TLS_GROUP_CURVE_CUSTOM)
- pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL);
- else
-# if 0
- pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "EC",
- s->ctx->propq);
-# else
- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
-# endif
- }
-# endif /* OPENSSL_NO_EC */
+ pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, ginf->keytype,
+ s->ctx->propq);
+
if (pctx == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
ERR_R_MALLOC_FAILURE);
@@ -4838,11 +4808,7 @@ EVP_PKEY *ssl_generate_param_group(SSL *s, uint16_t id)
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY *pkey = NULL;
const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id);
-#if 0
const char *pkey_ctx_name;
-#else
- int pkey_ctx_id;
-#endif
if (ginf == NULL)
goto err;
@@ -4855,20 +4821,9 @@ EVP_PKEY *ssl_generate_param_group(SSL *s, uint16_t id)
return NULL;
}
- /*
- * TODO(3.0): Convert this EVP_PKEY_CTX_new_id call to one that takes
- * s->ctx->libctx and s->ctx->propq when paramgen has been updated to be
- * provider aware.
- */
-#if 0
pkey_ctx_name = (ginf->flags & TLS_GROUP_FFDHE) != 0 ? "DH" : "EC";
pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, pkey_ctx_name,
s->ctx->propq);
-#else
- pkey_ctx_id = (ginf->flags & TLS_GROUP_FFDHE)
- ? EVP_PKEY_DH : EVP_PKEY_EC;
- pctx = EVP_PKEY_CTX_new_id(pkey_ctx_id, NULL);
-#endif
if (pctx == NULL)
goto err;
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index a7e0d71179..d8b25bb4e8 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -1760,6 +1760,7 @@ typedef struct sigalg_lookup_st {
typedef struct tls_group_info_st {
int nid; /* Curve NID */
+ const char *keytype;
int secbits; /* Bits of security (from SP800-57) */
uint32_t flags; /* For group type and applicable TLS versions */
uint16_t group_id; /* Group ID */
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index ebd094df9b..b9b3a60252 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -142,44 +142,44 @@ int tls1_clear(SSL *s)
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
static const TLS_GROUP_INFO nid_list[] = {
# ifndef OPENSSL_NO_EC
- {NID_sect163k1, 80, TLS_GROUP_CURVE_CHAR2, 0x0001}, /* sect163k1 (1) */
- {NID_sect163r1, 80, TLS_GROUP_CURVE_CHAR2, 0x0002}, /* sect163r1 (2) */
- {NID_sect163r2, 80, TLS_GROUP_CURVE_CHAR2, 0x0003}, /* sect163r2 (3) */
- {NID_sect193r1, 80, TLS_GROUP_CURVE_CHAR2, 0x0004}, /* sect193r1 (4) */
- {NID_sect193r2, 80, TLS_GROUP_CURVE_CHAR2, 0x0005}, /* sect193r2 (5) */
- {NID_sect233k1, 112, TLS_GROUP_CURVE_CHAR2, 0x0006}, /* sect233k1 (6) */
- {NID_sect233r1, 112, TLS_GROUP_CURVE_CHAR2, 0x0007}, /* sect233r1 (7) */
- {NID_sect239k1, 112, TLS_GROUP_CURVE_CHAR2, 0x0008}, /* sect239k1 (8) */
- {NID_sect283k1, 128, TLS_GROUP_CURVE_CHAR2, 0x0009}, /* sect283k1 (9) */
- {NID_sect283r1, 128, TLS_GROUP_CURVE_CHAR2, 0x000A}, /* sect283r1 (10) */
- {NID_sect409k1, 192, TLS_GROUP_CURVE_CHAR2, 0x000B}, /* sect409k1 (11) */
- {NID_sect409r1, 192, TLS_GROUP_CURVE_CHAR2, 0x000C}, /* sect409r1 (12) */
- {NID_sect571k1, 256, TLS_GROUP_CURVE_CHAR2, 0x000D}, /* sect571k1 (13) */
- {NID_sect571r1, 256, TLS_GROUP_CURVE_CHAR2, 0x000E}, /* sect571r1 (14) */
- {NID_secp160k1, 80, TLS_GROUP_CURVE_PRIME, 0x000F}, /* secp160k1 (15) */
- {NID_secp160r1, 80, TLS_GROUP_CURVE_PRIME, 0x0010}, /* secp160r1 (16) */
- {NID_secp160r2, 80, TLS_GROUP_CURVE_PRIME, 0x0011}, /* secp160r2 (17) */
- {NID_secp192k1, 80, TLS_GROUP_CURVE_PRIME, 0x0012}, /* secp192k1 (18) */
- {NID_X9_62_prime192v1, 80, TLS_GROUP_CURVE_PRIME, 0x0013}, /* secp192r1 (19) */
- {NID_secp224k1, 112, TLS_GROUP_CURVE_PRIME, 0x0014}, /* secp224k1 (20) */
- {NID_secp224r1, 112, TLS_GROUP_CURVE_PRIME, 0x0015}, /* secp224r1 (21) */
- {NID_secp256k1, 128, TLS_GROUP_CURVE_PRIME, 0x0016}, /* secp256k1 (22) */
- {NID_X9_62_prime256v1, 128, TLS_GROUP_CURVE_PRIME, 0x0017}, /* secp256r1 (23) */
- {NID_secp384r1, 192, TLS_GROUP_CURVE_PRIME, 0x0018}, /* secp384r1 (24) */
- {NID_secp521r1, 256, TLS_GROUP_CURVE_PRIME, 0x0019}, /* secp521r1 (25) */
- {NID_brainpoolP256r1, 128, TLS_GROUP_CURVE_PRIME, 0x001A}, /* brainpoolP256r1 (26) */
- {NID_brainpoolP384r1, 192, TLS_GROUP_CURVE_PRIME, 0x001B}, /* brainpoolP384r1 (27) */
- {NID_brainpoolP512r1, 256, TLS_GROUP_CURVE_PRIME, 0x001C}, /* brainpool512r1 (28) */
- {EVP_PKEY_X25519, 128, TLS_GROUP_CURVE_CUSTOM, 0x001D}, /* X25519 (29) */
- {EVP_PKEY_X448, 224, TLS_GROUP_CURVE_CUSTOM, 0x001E}, /* X448 (30) */
+ {NID_sect163k1, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0001}, /* sect163k1 (1) */
+ {NID_sect163r1, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0002}, /* sect163r1 (2) */
+ {NID_sect163r2, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0003}, /* sect163r2 (3) */
+ {NID_sect193r1, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0004}, /* sect193r1 (4) */
+ {NID_sect193r2, "EC", 80, TLS_GROUP_CURVE_CHAR2, 0x0005}, /* sect193r2 (5) */
+ {NID_sect233k1, "EC", 112, TLS_GROUP_CURVE_CHAR2, 0x0006}, /* sect233k1 (6) */
+ {NID_sect233r1, "EC", 112, TLS_GROUP_CURVE_CHAR2, 0x0007}, /* sect233r1 (7) */
+ {NID_sect239k1, "EC", 112, TLS_GROUP_CURVE_CHAR2, 0x0008}, /* sect239k1 (8) */
+ {NID_sect283k1, "EC", 128, TLS_GROUP_CURVE_CHAR2, 0x0009}, /* sect283k1 (9) */
+ {NID_sect283r1, "EC", 128, TLS_GROUP_CURVE_CHAR2, 0x000A}, /* sect283r1 (10) */
+ {NID_sect409k1, "EC", 192, TLS_GROUP_CURVE_CHAR2, 0x000B}, /* sect409k1 (11) */
+ {NID_sect409r1, "EC", 192, TLS_GROUP_CURVE_CHAR2, 0x000C}, /* sect409r1 (12) */
+ {NID_sect571k1, "EC", 256, TLS_GROUP_CURVE_CHAR2, 0x000D}, /* sect571k1 (13) */
+ {NID_sect571r1, "EC", 256, TLS_GROUP_CURVE_CHAR2, 0x000E}, /* sect571r1 (14) */
+ {NID_secp160k1, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x000F}, /* secp160k1 (15) */
+ {NID_secp160r1, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x0010}, /* secp160r1 (16) */
+ {NID_secp160r2, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x0011}, /* secp160r2 (17) */
+ {NID_secp192k1, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x0012}, /* secp192k1 (18) */
+ {NID_X9_62_prime192v1, "EC", 80, TLS_GROUP_CURVE_PRIME, 0x0013}, /* secp192r1 (19) */
+ {NID_secp224k1, "EC", 112, TLS_GROUP_CURVE_PRIME, 0x0014}, /* secp224k1 (20) */
+ {NID_secp224r1, "EC", 112, TLS_GROUP_CURVE_PRIME, 0x0015}, /* secp224r1 (21) */
+ {NID_secp256k1, "EC", 128, TLS_GROUP_CURVE_PRIME, 0x0016}, /* secp256k1 (22) */
+ {NID_X9_62_prime256v1, "EC", 128, TLS_GROUP_CURVE_PRIME, 0x0017}, /* secp256r1 (23) */
+ {NID_secp384r1, "EC", 192, TLS_GROUP_CURVE_PRIME, 0x0018}, /* secp384r1 (24) */
+ {NID_secp521r1, "EC", 256, TLS_GROUP_CURVE_PRIME, 0x0019}, /* secp521r1 (25) */
+ {NID_brainpoolP256r1, "EC", 128, TLS_GROUP_CURVE_PRIME, 0x001A}, /* brainpoolP256r1 (26) */
+ {NID_brainpoolP384r1, "EC", 192, TLS_GROUP_CURVE_PRIME, 0x001B}, /* brainpoolP384r1 (27) */
+ {NID_brainpoolP512r1, "EC", 256, TLS_GROUP_CURVE_PRIME, 0x001C}, /* brainpool512r1 (28) */
+ {EVP_PKEY_X25519, "X25519", 128, TLS_GROUP_CURVE_CUSTOM, 0x001D}, /* X25519 (29) */
+ {EVP_PKEY_X448, "X448", 224, TLS_GROUP_CURVE_CUSTOM, 0x001E}, /* X448 (30) */
# endif /* OPENSSL_NO_EC */
# ifndef OPENSSL_NO_DH
/* Security bit values for FFDHE groups are updated as per RFC 7919 */
- {NID_ffdhe2048, 103, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0100}, /* ffdhe2048 (0x0100) */
- {NID_ffdhe3072, 125, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0101}, /* ffdhe3072 (0x0101) */
- {NID_ffdhe4096, 150, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0102}, /* ffdhe4096 (0x0102) */
- {NID_ffdhe6144, 175, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0103}, /* ffdhe6144 (0x0103) */
- {NID_ffdhe8192, 192, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0104}, /* ffdhe8192 (0x0104) */
+ {NID_ffdhe2048, "DH", 103, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0100}, /* ffdhe2048 (0x0100) */
+ {NID_ffdhe3072, "DH", 125, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0101}, /* ffdhe3072 (0x0101) */
+ {NID_ffdhe4096, "DH", 150, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0102}, /* ffdhe4096 (0x0102) */
+ {NID_ffdhe6144, "DH", 175, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0103}, /* ffdhe6144 (0x0103) */
+ {NID_ffdhe8192, "DH", 192, TLS_GROUP_FFDHE_FOR_TLS1_3, 0x0104}, /* ffdhe8192 (0x0104) */
# endif /* OPENSSL_NO_DH */
};
#endif
diff --git a/test/asynciotest.c b/test/asynciotest.c
index dcdee1068d..57f895b655 100644
--- a/test/asynciotest.c
+++ b/test/asynciotest.c
@@ -296,7 +296,8 @@ static int test_asyncio(int test)
const char testdata[] = "Test data";
char buf[sizeof(testdata)];
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
+ TLS_client_method(),
TLS1_VERSION, 0,
&serverctx, &clientctx, cert, privkey)))
goto end;
diff --git a/test/dtlstest.c b/test/dtlstest.c
index 607768832b..1ab89250d3 100644
--- a/test/dtlstest.c
+++ b/test/dtlstest.c
@@ -61,7 +61,7 @@ static int test_dtls_unprocessed(int testidx)
timer_cb_count = 0;
- if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
@@ -156,7 +156,7 @@ static int test_dtls_drop_records(int idx)
SSL_SESSION *sess = NULL;
int cli_to_srv_epoch0, cli_to_srv_epoch1, srv_to_cli_epoch0;
- if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
@@ -267,7 +267,7 @@ static int test_cookie(void)
SSL *serverssl = NULL, *clientssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
@@ -299,7 +299,7 @@ static int test_dtls_duplicate_records(void)
SSL *serverssl = NULL, *clientssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
diff --git a/test/fatalerrtest.c b/test/fatalerrtest.c
index 184392cff2..c1e95af4b8 100644
--- a/test/fatalerrtest.c
+++ b/test/fatalerrtest.c
@@ -28,7 +28,7 @@ static int test_fatalerr(void)
0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y'
};
- if (!TEST_true(create_ssl_ctx_pair(TLS_method(), TLS_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_method(), TLS_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto err;
diff --git a/test/gosttest.c b/test/gosttest.c
index f619ebd35d..b61e4efa49 100644
--- a/test/gosttest.c
+++ b/test/gosttest.c
@@ -46,7 +46,7 @@ static int test_tls13(int idx)
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
0,
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
index f01056c6f6..5e137c5e77 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -8,21 +8,51 @@
use OpenSSL::Test::Utils;
-use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir/;
+use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file/;
use File::Temp qw(tempfile);
+BEGIN {
setup("test_sslapi");
+}
+
+use lib srctop_dir('Configurations');
+use lib bldtop_dir('.');
+use platform;
+
+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
-plan tests => 1;
+plan tests =>
+ ($no_fips ? 0 : 2) # FIPS install test + sslapitest with fips
+ + 1; # sslapitest with default provider
(undef, my $tmpfilename) = tempfile();
+$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
+$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
+
ok(run(test(["sslapitest", srctop_dir("test", "certs"),
srctop_file("test", "recipes", "90-test_sslapi_data",
- "passwd.txt"), $tmpfilename])),
+ "passwd.txt"), $tmpfilename, "default",
+ srctop_file("test", "default.cnf")])),
"running sslapitest");
+unless ($no_fips) {
+ ok(run(app(['openssl', 'fipsinstall',
+ '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+ '-module', bldtop_file('providers', platform->dso('fips')),
+ '-provider_name', 'fips', '-mac_name', 'HMAC',
+ '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-section_name', 'fips_sect'])),
+ "fipsinstall");
+
+ ok(run(test(["sslapitest", srctop_dir("test", "certs"),
+ srctop_file("test", "recipes", "90-test_sslapi_data",
+ "passwd.txt"), $tmpfilename, "fips",
+ srctop_file("test", "fips.cnf")])),
+ "running sslapitest");
+}
+
unlink $tmpfilename;
diff --git a/test/recordlentest.c b/test/recordlentest.c
index 01cc53469b..a9932bfddc 100644
--- a/test/recordlentest.c
+++ b/test/recordlentest.c
@@ -102,7 +102,8 @@ static int test_record_overflow(int idx)
ERR_clear_error();
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
+ TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
diff --git a/test/servername_test.c b/test/servername_test.c
index 33e62a169b..64e9eeb93b 100644
--- a/test/servername_test.c
+++ b/test/servername_test.c
@@ -190,7 +190,7 @@ static int server_setup_sni(void)
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 7956353f49..b1522b451d 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -28,6 +28,7 @@
#include <openssl/aes.h>
#include <openssl/rand.h>
#include <openssl/core_names.h>
+#include <openssl/provider.h>
#include "ssltestlib.h"
#include "testutil.h"
@@ -36,6 +37,9 @@
#include "internal/ktls.h"
#include "../ssl/ssl_local.h"
+static OPENSSL_CTX *libctx = NULL;
+static OSSL_PROVIDER *defctxnull = NULL;
+
#ifndef OPENSSL_NO_TLS1_3
static SSL_SESSION *clientpsk = NULL;
@@ -60,6 +64,8 @@ static char *privkey = NULL;
static char *srpvfile = NULL;
static char *tmpfilename = NULL;
+static int is_fips = 0;
+
#define LOG_BUFFER_SIZE 2048
static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0};
static size_t server_log_buffer_index = 0;
@@ -339,7 +345,7 @@ static int test_keylog(void)
server_log_buffer_index = 0;
error_writing_log = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
@@ -423,8 +429,8 @@ static int test_keylog_no_master_key(void)
server_log_buffer_index = 0;
error_writing_log = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_max_early_data(sctx,
SSL3_RT_MAX_PLAIN_LENGTH)))
@@ -569,8 +575,8 @@ static int test_client_hello_cb(void)
SSL *clientssl = NULL, *serverssl = NULL;
int testctr = 0, testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
@@ -611,7 +617,7 @@ static int test_no_ems(void)
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
TLS1_VERSION, TLS1_2_VERSION,
&sctx, &cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
@@ -671,7 +677,7 @@ static int test_ccs_change_cipher(void)
* Create a conection so we can resume and potentially (but not) use
* a different cipher in the second connection.
*/
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, TLS1_2_VERSION,
&sctx, &cctx, cert, privkey))
@@ -783,8 +789,9 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
if (!TEST_ptr(chaincert))
goto end;
- if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
- &sctx, &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
+ max_version, &sctx, &cctx, cert,
+ privkey)))
goto end;
if (read_ahead) {
@@ -967,7 +974,7 @@ static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
return 1;
/* Create a session based on SHA-256 */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_2_VERSION, TLS1_2_VERSION,
&sctx, &cctx, cert, privkey))
@@ -1081,7 +1088,7 @@ static int test_ktls_sendfile(void)
}
/* Create a session based on SHA-256 */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_2_VERSION, TLS1_2_VERSION,
&sctx, &cctx, cert, privkey))
@@ -1278,7 +1285,7 @@ static int ocsp_server_cb(SSL *s, void *arg)
return SSL_TLSEXT_ERR_ALERT_FATAL;
id = sk_OCSP_RESPID_value(ids, 0);
- if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, NULL, NULL))
+ if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
return SSL_TLSEXT_ERR_ALERT_FATAL;
} else if (*argi != 1) {
return SSL_TLSEXT_ERR_ALERT_FATAL;
@@ -1318,7 +1325,7 @@ static int test_tlsext_status_type(void)
OCSP_RESPID *id = NULL;
BIO *certbio = NULL;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
return 0;
@@ -1406,7 +1413,7 @@ static int test_tlsext_status_type(void)
|| !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
|| !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
NULL, NULL, NULL))
- || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, NULL, NULL))
+ || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
|| !TEST_true(sk_OCSP_RESPID_push(ids, id)))
goto end;
id = NULL;
@@ -1487,8 +1494,8 @@ static int execute_test_session(int maxprot, int use_int_cache,
if (maxprot == TLS1_3_VERSION)
numnewsesstick = 2;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
return 0;
@@ -1835,9 +1842,9 @@ static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
{
int sess_id_ctx = 1;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0, sctx,
- cctx, cert, privkey))
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
+ sctx, cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
|| !TEST_true(SSL_CTX_set_session_id_context(*sctx,
(void *)&sess_id_ctx,
@@ -2035,9 +2042,9 @@ static int test_psk_tickets(void)
int testresult = 0;
int sess_id_ctx = 1;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0, &sctx,
- &cctx, NULL, NULL))
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
+ &sctx, &cctx, NULL, NULL))
|| !TEST_true(SSL_CTX_set_session_id_context(sctx,
(void *)&sess_id_ctx,
sizeof(sess_id_ctx))))
@@ -2161,8 +2168,8 @@ static int test_ssl_set_bio(int idx)
conntype = idx % 2;
}
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
@@ -2265,7 +2272,7 @@ static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
SSL *ssl = NULL;
int testresult = 0;
- if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
+ if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
|| !TEST_ptr(ssl = SSL_new(ctx))
|| !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
|| !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
@@ -2384,8 +2391,8 @@ static int test_set_sigalgs(int idx)
curr = testctx ? &testsigalgs[idx]
: &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
return 0;
@@ -2623,7 +2630,7 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
SSL **serverssl, SSL_SESSION **sess, int idx)
{
if (*sctx == NULL
- && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, 0,
sctx, cctx, cert, privkey)))
@@ -2950,9 +2957,9 @@ static int test_early_data_replay_int(int idx, int usecb, int confopt)
allow_ed_cb_called = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0, &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
+ &sctx, &cctx, cert, privkey)))
return 0;
if (usecb > 0) {
@@ -3670,8 +3677,8 @@ static int test_set_ciphersuite(int idx)
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_ciphersuites(sctx,
"TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
@@ -3740,9 +3747,13 @@ static int test_ciphersuite_change(void)
const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
/* Create a session based on SHA-256 */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
+ || !TEST_true(SSL_CTX_set_ciphersuites(sctx,
+ "TLS_AES_128_GCM_SHA256:"
+ "TLS_AES_256_GCM_SHA384:"
+ "TLS_AES_128_CCM_SHA256"))
|| !TEST_true(SSL_CTX_set_ciphersuites(cctx,
"TLS_AES_128_GCM_SHA256"))
|| !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
@@ -3760,12 +3771,11 @@ static int test_ciphersuite_change(void)
SSL_free(clientssl);
serverssl = clientssl = NULL;
-# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
/* Check we can resume a session with a different SHA-256 ciphersuite */
if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
- "TLS_CHACHA20_POLY1305_SHA256"))
- || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
- NULL, NULL))
+ "TLS_AES_128_CCM_SHA256"))
+ || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl,
+ &clientssl, NULL, NULL))
|| !TEST_true(SSL_set_session(clientssl, clntsess))
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE))
@@ -3779,7 +3789,6 @@ static int test_ciphersuite_change(void)
SSL_free(serverssl);
SSL_free(clientssl);
serverssl = clientssl = NULL;
-# endif
/*
* Check attempting to resume a SHA-256 session with no SHA-256 ciphersuites
@@ -3953,9 +3962,10 @@ static int test_key_exchange(int idx)
return 1;
}
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, max_version,
- &sctx, &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION,
+ max_version, &sctx, &cctx, cert,
+ privkey)))
goto end;
if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
@@ -4027,15 +4037,19 @@ static int test_tls13_ciphersuite(int idx)
{
SSL_CTX *sctx = NULL, *cctx = NULL;
SSL *serverssl = NULL, *clientssl = NULL;
- static const char *t13_ciphers[] = {
- TLS1_3_RFC_AES_128_GCM_SHA256,
- TLS1_3_RFC_AES_256_GCM_SHA384,
- TLS1_3_RFC_AES_128_CCM_SHA256,
+ static const struct {
+ const char *ciphername;
+ int fipscapable;
+ } t13_ciphers[] = {
+ { TLS1_3_RFC_AES_128_GCM_SHA256, 1 },
+ { TLS1_3_RFC_AES_256_GCM_SHA384, 1 },
+ { TLS1_3_RFC_AES_128_CCM_SHA256, 1 },
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
- TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
- TLS1_3_RFC_AES_256_GCM_SHA384 ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
+ { TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
+ { TLS1_3_RFC_AES_256_GCM_SHA384
+ ":" TLS1_3_RFC_CHACHA20_POLY1305_SHA256, 0 },
# endif
- TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256
+ { TLS1_3_RFC_AES_128_CCM_8_SHA256 ":" TLS1_3_RFC_AES_128_CCM_SHA256, 1 }
};
const char *t13_cipher = NULL;
const char *t12_cipher = NULL;
@@ -4070,8 +4084,10 @@ static int test_tls13_ciphersuite(int idx)
continue;
# endif
for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
- t13_cipher = t13_ciphers[i];
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (is_fips && !t13_ciphers[i].fipscapable)
+ continue;
+ t13_cipher = t13_ciphers[i].ciphername;
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, max_ver,
&sctx, &cctx, cert, privkey)))
@@ -4172,8 +4188,8 @@ static int test_tls13_psk(int idx)
};
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, idx == 3 ? NULL : cert,
idx == 3 ? NULL : privkey)))
goto end;
@@ -4188,6 +4204,16 @@ static int test_tls13_psk(int idx)
if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
"TLS_AES_128_GCM_SHA256")))
goto end;
+ } else {
+ /*
+ * As noted above the server should prefer SHA256 automatically. However
+ * we are careful not to offer TLS_CHACHA20_POLY1305_SHA256 so this same
+ * code works even if we are testing with only the FIPS provider loaded.
+ */
+ if (!TEST_true(SSL_CTX_set_ciphersuites(cctx,
+ "TLS_AES_256_GCM_SHA384:"
+ "TLS_AES_128_GCM_SHA256")))
+ goto end;
}
/*
@@ -4425,8 +4451,8 @@ static int test_stateless(void)
SSL *serverssl = NULL, *clientssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
@@ -4649,13 +4675,13 @@ static int test_custom_exts(int tst)
clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
snicb = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
if (tst == 2
- && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
+ && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
TLS1_VERSION, 0,
&sctx2, NULL, cert, privkey)))
goto end;
@@ -4847,7 +4873,7 @@ static int test_serverinfo(int tst)
int ret, expected, testresult = 0;
SSL_CTX *ctx;
- ctx = SSL_CTX_new(TLS_method());
+ ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
if (!TEST_ptr(ctx))
goto end;
@@ -4927,6 +4953,8 @@ static int test_export_key_mat(int tst)
if (tst == 1)
return 1;
#endif
+ if (is_fips && (tst == 0 || tst == 1))
+ return 1;
#ifdef OPENSSL_NO_TLS1_2
if (tst == 2)
return 1;
@@ -4935,8 +4963,8 @@ static int test_export_key_mat(int tst)
if (tst >= 3)
return 1;
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
@@ -5132,7 +5160,7 @@ static int test_key_update(void)
char buf[20];
static char *mess = "A test message";
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_3_VERSION,
0,
@@ -5195,7 +5223,7 @@ static int test_key_update_in_write(int tst)
SSL *peerupdate = NULL, *peerwrite = NULL;
if (!TEST_ptr(bretry)
- || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_3_VERSION,
0,
@@ -5275,8 +5303,8 @@ static int test_ssl_clear(int idx)
#endif
/* Create an initial connection */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
|| (idx == 1
&& !TEST_true(SSL_CTX_set_max_proto_version(cctx,
@@ -5385,7 +5413,7 @@ static int test_max_fragment_len_ext(int idx_tst)
int testresult = 0, MFL_mode = 0;
BIO *rbio, *wbio;
- ctx = SSL_CTX_new(TLS_method());
+ ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
if (!TEST_ptr(ctx))
goto end;
@@ -5435,8 +5463,8 @@ static int test_pha_key_update(void)
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
return 0;
@@ -5534,7 +5562,7 @@ static int create_new_vfile(char *userid, char *password, const char *filename)
goto end;
gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
- &row[DB_srpverifier], NULL, NULL, NULL, NULL);
+ &row[DB_srpverifier], NULL, NULL, libctx, NULL);
if (!TEST_ptr(gNid))
goto end;
@@ -5591,7 +5619,7 @@ static int create_new_vbase(char *userid, char *password)
goto end;
if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
- lgN->N, lgN->g, NULL, NULL)))
+ lgN->N, lgN->g, libctx, NULL)))
goto end;
user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
@@ -5658,8 +5686,8 @@ static int test_srp(int tst)
goto end;
}
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
@@ -5919,7 +5947,7 @@ static int test_info_callback(int tst)
}
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
tlsvers, tlsvers, &sctx, &cctx, cert,
privkey)))
@@ -5979,14 +6007,14 @@ static int test_ssl_pending(int tst)
size_t written, readbytes;
if (tst == 0) {
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
} else {
#ifndef OPENSSL_NO_DTLS
- if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
@@ -6098,7 +6126,7 @@ static int test_ssl_get_shared_ciphers(int tst)
int testresult = 0;
char buf[1024];
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
shared_ciphers_data[tst].maxprot,
@@ -6205,16 +6233,26 @@ static int tick_key_cb(SSL *s, unsigned char key_name[16],
{
const unsigned char tick_aes_key[16] = "0123456789abcdef";
const unsigned char tick_hmac_key[16] = "0123456789abcdef";
+ EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
+ EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
+ int ret;
tick_key_cb_called = 1;
memset(iv, 0, AES_BLOCK_SIZE);
memset(key_name, 0, 16);
- if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
- || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
- EVP_sha256(), NULL))
- return -1;
+ if (aes128cbc == NULL
+ || sha256 == NULL
+ || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
+ || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
+ NULL))
+ ret = -1;
+ else
+ ret = tick_key_renew ? 2 : 1;
+
+ EVP_CIPHER_free(aes128cbc);
+ EVP_MD_free(sha256);
- return tick_key_renew ? 2 : 1;
+ return ret;
}
#endif
@@ -6225,6 +6263,8 @@ static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
const unsigned char tick_aes_key[16] = "0123456789abcdef";
unsigned char tick_hmac_key[16] = "0123456789abcdef";
OSSL_PARAM params[3];
+ EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
+ int ret;
tick_key_cb_called = 1;
memset(iv, 0, AES_BLOCK_SIZE);
@@ -6235,12 +6275,17 @@ static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
tick_hmac_key,
sizeof(tick_hmac_key));
params[2] = OSSL_PARAM_construct_end();
- if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
+ if (aes128cbc == NULL
+ || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
|| !EVP_MAC_CTX_set_params(hctx, params)
|| !EVP_MAC_init(hctx))
- return -1;
+ ret = -1;
+ else
+ ret = tick_key_renew ? 2 : 1;
+
+ EVP_CIPHER_free(aes128cbc);
- return tick_key_renew ? 2 : 1;
+ return ret;
}
/*
@@ -6316,7 +6361,7 @@ static int test_ticket_callbacks(int tst)
tick_dec_ret = SSL_TICKET_RETURN_ABORT;
}
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
((tst % 2) == 0) ? TLS1_2_VERSION
@@ -6440,7 +6485,7 @@ static int test_shutdown(int tst)
return 1;
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
(tst <= 1) ? TLS1_2_VERSION
@@ -6680,7 +6725,7 @@ static int test_cert_cb_int(int prot, int tst)
return 1;
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
prot,
@@ -6814,7 +6859,7 @@ static int test_client_cert_cb(int tst)
return 1;
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
tst == 0 ? TLS1_2_VERSION
@@ -6878,7 +6923,7 @@ static int test_ca_names_int(int prot, int tst)
goto end;
}
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
prot,
@@ -7036,8 +7081,9 @@ static int test_multiblock_write(int test_index)
/* Set up a buffer with some data that will be sent to the client */
RAND_bytes(msg, sizeof(msg));
- if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
- &sctx, &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
+ max_version, &sctx, &cctx, cert,
+ privkey)))
goto end;
if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
@@ -7109,7 +7155,7 @@ static int test_servername(int tst)
return 1;
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
(tst <= 4) ? TLS1_2_VERSION
@@ -7234,10 +7280,27 @@ static int test_servername(int tst)
return testresult;
}
-OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
+OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
int setup_tests(void)
{
+ char *modulename;
+ char *configfile;
+
+ libctx = OPENSSL_CTX_new();
+ if (!TEST_ptr(libctx))
+ return 0;
+
+ defctxnull = OSSL_PROVIDER_load(NULL, "null");
+
+ /*
+ * Verify that the default and fips providers in the default libctx are not
+ * available
+ */
+ if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
+ || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
+ return 0;
+
if (!test_skip_common_options()) {
TEST_error("Error parsing test options\n");
return 0;
@@ -7245,9 +7308,26 @@ int setup_tests(void)
if (!TEST_ptr(certsdir = test_get_argument(0))
|| !TEST_ptr(srpvfile = test_get_argument(1))
- || !TEST_ptr(tmpfilename = test_get_argument(2)))
+ || !TEST_ptr(tmpfilename = test_get_argument(2))
+ || !TEST_ptr(modulename = test_get_argument(3))
+ || !TEST_ptr(configfile = test_get_argument(4)))
return 0;
+ if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
+ return 0;
+
+ /* Check we have the expected provider available */
+ if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
+ return 0;
+
+ /* Check the default provider is not available */
+ if (strcmp(modulename, "default") != 0
+ && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
+ return 0;
+
+ if (strcmp(modulename, "fips") == 0)
+ is_fips = 1;
+
if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
#ifdef OPENSSL_NO_CRYPTO_MDEBUG
TEST_error("not supported in this build");
@@ -7400,4 +7480,6 @@ void cleanup_tests(void)
OPENSSL_free(privkey);
bio_s_mempacket_test_free();
bio_s_always_retry_free();
+ OSSL_PROVIDER_unload(defctxnull);
+ OPENSSL_CTX_free(libctx);
}
diff --git a/test/sslbuffertest.c b/test/sslbuffertest.c
index 3bce667b46..fa7bb8daeb 100644
--- a/test/sslbuffertest.c
+++ b/test/sslbuffertest.c
@@ -165,7 +165,7 @@ int setup_tests(void)
|| !TEST_ptr(pkey = test_get_argument(1)))
return 0;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ if (!create_ssl_ctx_pair(NULL, TLS_server_method(), TLS_client_method(),
TLS1_VERSION, 0,
&serverctx, &clientctx, cert, pkey)) {
TEST_error("Failed to create SSL_CTX pair\n");
diff --git a/test/sslcorrupttest.c b/test/sslcorrupttest.c
index d201cd2b27..fd958b6510 100644
--- a/test/sslcorrupttest.c
+++ b/test/sslcorrupttest.c
@@ -193,7 +193,8 @@ static int test_ssl_corrupt(int testidx)
TEST_info("Starting #%d, %s", testidx, cipher_list[testidx]);
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
+ TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
return 0;
diff --git a/test/sslprovidertest.c b/test/sslprovidertest.c
index 5f78554fb9..fd29f797aa 100644
--- a/test/sslprovidertest.c
+++ b/test/sslprovidertest.c
@@ -50,20 +50,14 @@ static int test_different_libctx(void)
goto end;
TEST_note("%s provider loaded", modulename);
- cctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_client_method());
- if (!TEST_ptr(cctx))
- goto end;
- sctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_server_method());
- if (!TEST_ptr(sctx))
- goto end;
-
/*
* TODO(3.0): Make this work in TLSv1.3. Currently we can only do RSA key
* exchange, because we don't have key gen/param gen for EC yet - which
* implies TLSv1.2 only
*/
- if (!TEST_true(create_ssl_ctx_pair(NULL,
- NULL,
+ if (!TEST_true(create_ssl_ctx_pair(libctx,
+ TLS_server_method(),
+ TLS_client_method(),
TLS1_VERSION,
TLS1_2_VERSION,
&sctx, &cctx, cert, privkey)))
diff --git a/test/ssltestlib.c b/test/ssltestlib.c
index e579ceff92..f61767f8f5 100644
--- a/test/ssltestlib.c
+++ b/test/ssltestlib.c
@@ -684,7 +684,8 @@ static int always_retry_puts(BIO *bio, const char *str)
return -1;
}
-int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
+int create_ssl_ctx_pair(OPENSSL_CTX *libctx, const SSL_METHOD *sm,
+const SSL_METHOD *cm,
int min_proto_version, int max_proto_version,
SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
char *privkeyfile)
@@ -694,13 +695,13 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
if (*sctx != NULL)
serverctx = *sctx;
- else if (!TEST_ptr(serverctx = SSL_CTX_new(sm)))
+ else if (!TEST_ptr(serverctx = SSL_CTX_new_with_libctx(libctx, NULL, sm)))
goto err;
if (cctx != NULL) {
if (*cctx != NULL)
clientctx = *cctx;
- else if (!TEST_ptr(clientctx = SSL_CTX_new(cm)))
+ else if (!TEST_ptr(clientctx = SSL_CTX_new_with_libctx(libctx, NULL, cm)))
goto err;
}
diff --git a/test/ssltestlib.h b/test/ssltestlib.h
index a45aaf81de..ac8bcb12ff 100644
--- a/test/ssltestlib.h
+++ b/test/ssltestlib.h
@@ -12,10 +12,10 @@
# include <openssl/ssl.h>
-int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
- int min_proto_version, int max_proto_version,
- SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
- char *privkeyfile);
+int create_ssl_ctx_pair(OPENSSL_CTX *libctx, const SSL_METHOD *sm,
+ const SSL_METHOD *cm, int min_proto_version,
+ int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx,
+ char *certfile, char *privkeyfile);
int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio);
int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want,
diff --git a/test/tls13ccstest.c b/test/tls13ccstest.c
index 2820a0e8fa..2e1d76b395 100644
--- a/test/tls13ccstest.c
+++ b/test/tls13ccstest.c
@@ -254,8 +254,8 @@ static int test_tls13ccs(int tst)
sappdataseen = cappdataseen = badccs = badvers = badsessid = 0;
chsessidlen = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_max_early_data(sctx,
SSL3_RT_MAX_PLAIN_LENGTH)))
More information about the openssl-commits
mailing list