[openssl] master update

Richard Levitte levitte at openssl.org
Tue Apr 21 13:44:23 UTC 2020 

The branch master has been updated
       via  1e78a50f5a9d4874e910a3b42f10c176197aea88 (commit)
      from  a87f3fe01a5a894aa27ccd6a239155fd129988e4 (commit)


- Log -----------------------------------------------------------------
commit 1e78a50f5a9d4874e910a3b42f10c176197aea88
Author: Richard Levitte <levitte at openssl.org>
Date:   Tue Apr 21 12:24:44 2020 +0200

    Revert "TEST: make and use a fipsinstall script"
    
    Unfortunately, this won't work on MacOS because of system integrity
    measures on that platform, which clears DYLD_LIBRARY_PATH before
    starting a sub-process executable.
    
    Ref: https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/RuntimeProtections/RuntimeProtections.html
    
    This reverts commit ae6b654b669638882a6ddce012ff55adc7cf6a82.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/11592)

-----------------------------------------------------------------------

Summary of changes:
 test/fipsinstall.pl                   | 53 -----------------------------------
 test/recipes/30-test_evp.t            |  8 +++++-
 test/recipes/30-test_evp_fetch_prov.t |  7 ++++-
 test/recipes/90-test_sslprovider.t    |  7 ++++-
 4 files changed, 19 insertions(+), 56 deletions(-)
 delete mode 100644 test/fipsinstall.pl

diff --git a/test/fipsinstall.pl b/test/fipsinstall.pl
deleted file mode 100644
index 48911452d1..0000000000
--- a/test/fipsinstall.pl
+++ /dev/null
@@ -1,53 +0,0 @@
-#! /usr/bin/env perl
-
-use strict;
-use warnings;
-
-use File::Spec;
-
-use if $^O eq "VMS", "VMS::Filespec";
-
-my $bldtop_dir;
-
-# First script argument MUST be the build top directory
-BEGIN {
-    $bldtop_dir = $ARGV[0];
-    # 'use lib' needs Unix-ish paths
-    $bldtop_dir = VMS::Filespec::unixpath($bldtop_dir) if $^O eq "VMS";
-}
-
-use lib $bldtop_dir;
-use FindBin;
-use lib "$FindBin::Bin/../Configurations";
-use platform;
-
-my @providers = ($bldtop_dir, 'providers');
-my $fips_cnf = File::Spec->catfile(@providers, 'fipsinstall.cnf');
-my $fips_module = File::Spec->catfile(@providers, platform->dso('fips'));
-my $openssl = File::Spec->catfile($bldtop_dir, 'apps',
-                                  platform->bin('openssl'));
-
-# We create the command like this to make it readable, then massage it with
-# a space replacement regexp to make it usable with system()
-my $cmd = <<_____;
-$openssl fipsinstall \
-    -out "{fips_cnf}" \
-    -module "{fips_module}" \
-    -provider_name "fips" \
-    -mac_name "HMAC" -macopt "digest:SHA256" -macopt "hexkey:00" \
-    -section_name "fips_sect"
-_____
-$cmd =~ s|\s+| |gm;
-$cmd =~ s|{fips_cnf}|$fips_cnf|;
-$cmd =~ s|{fips_module}|$fips_module|;
-
-my $exit = 0;
-system($cmd);
-die "Failed to run '$cmd'\n" if $? == -1;
-# If there was a signal, use it as exit code with high bit set.
-$exit = (($? & 255) | 128) if ($? & 255) != 0;
-# Otherwise, just return fipsinstall's exit code
-$exit = ($? >> 8);
-
-exit($exit);
-
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index bf792f21b5..7263f29290 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -79,10 +79,16 @@ plan tests =>
     + scalar(@defltfiles);
 
 unless ($no_fips) {
+    my $infile = bldtop_file('providers', platform->dso('fips'));
     $ENV{OPENSSL_MODULES} = bldtop_dir("providers");
     $ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
 
-    ok(run(perltest(['fipsinstall.pl', bldtop_dir()])),
+    ok(run(app(['openssl', 'fipsinstall',
+                '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+                '-module', $infile,
+                '-provider_name', 'fips', '-mac_name', 'HMAC',
+                '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+                '-section_name', 'fips_sect'])),
        "fipsinstall");
 }
 
diff --git a/test/recipes/30-test_evp_fetch_prov.t b/test/recipes/30-test_evp_fetch_prov.t
index 00d71fa320..36c324eeb3 100644
--- a/test/recipes/30-test_evp_fetch_prov.t
+++ b/test/recipes/30-test_evp_fetch_prov.t
@@ -47,7 +47,12 @@ my @testdata = (
 
 unless ($no_fips) {
     push @setups, {
-        cmd     => perltest(['fipsinstall.pl', bldtop_dir()]),
+        cmd     => app(['openssl', 'fipsinstall',
+                        '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+                        '-module', bldtop_file('providers', platform->dso('fips')),
+                        '-provider_name', 'fips', '-mac_name', 'HMAC',
+                        '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+                        '-section_name', 'fips_sect']),
         message => "fipsinstall"
     };
     push @testdata, (
diff --git a/test/recipes/90-test_sslprovider.t b/test/recipes/90-test_sslprovider.t
index 814eff74cf..f0ff38a386 100644
--- a/test/recipes/90-test_sslprovider.t
+++ b/test/recipes/90-test_sslprovider.t
@@ -30,7 +30,12 @@ SKIP: {
     skip "Skipping FIPS installation", 1
         if disabled("fips");
 
-    ok(run(perltest(['fipsinstall.pl', bldtop_dir()])),
+    ok(run(app(['openssl', 'fipsinstall',
+                '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+                '-module', bldtop_file('providers', platform->dso('fips')),
+                '-provider_name', 'fips', '-mac_name', 'HMAC',
+                '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+                '-section_name', 'fips_sect'])),
        "fipsinstall");
 }

More information about the openssl-commits mailing list