[openssl] master update
Matt Caswell
matt at openssl.org
Wed Apr 22 09:41:11 UTC 2020
The branch master has been updated
via 9be92bec2eca839e26216cedc241f689c43125a5 (commit)
via a7a7643a5317dc8d539422ee30d8b916dd3b71a8 (commit)
via a033c9a2e8b1c9e5719a27ad3cadc66a866ef2c1 (commit)
from 0345f9eccc25eee39c22a09325510ef791de631c (commit)
- Log -----------------------------------------------------------------
commit 9be92bec2eca839e26216cedc241f689c43125a5
Author: Matt Caswell <matt at openssl.org>
Date: Mon Apr 20 14:18:36 2020 +0100
Skip a no-dsa test in the fipsinstall test
In a similar way to the previous commit we also skip a fipsinstall test
if DSA has been disabled.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11582)
commit a7a7643a5317dc8d539422ee30d8b916dd3b71a8
Author: Matt Caswell <matt at openssl.org>
Date: Mon Apr 20 14:05:47 2020 +0100
Skip a test in a no-dh build
One of the sub-tests in the fipsinstall test corrupts a DH test to
confirm that fipsinstall fails. However that is never noticed in a
no-dh build - so we just skip that test in a no-dh build.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11582)
commit a033c9a2e8b1c9e5719a27ad3cadc66a866ef2c1
Author: Matt Caswell <matt at openssl.org>
Date: Mon Apr 20 14:05:23 2020 +0100
Fix some build failures with no-dh
Add some missing OPENSSL_NO_DH guards.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11582)
-----------------------------------------------------------------------
Summary of changes:
crypto/ffc/ffc_backend.c | 6 ++++
crypto/ffc/ffc_params.c | 5 +++
.../serializers/serializer_ffc_params.c | 5 +++
test/recipes/03-test_fipsinstall.t | 37 ++++++++++++++--------
4 files changed, 39 insertions(+), 14 deletions(-)
diff --git a/crypto/ffc/ffc_backend.c b/crypto/ffc/ffc_backend.c
index d3661b1706..d9b3e2e8af 100644
--- a/crypto/ffc/ffc_backend.c
+++ b/crypto/ffc/ffc_backend.c
@@ -31,7 +31,13 @@ int ffc_params_fromdata(FFC_PARAMS *ffc, const OSSL_PARAM params[])
if (prm != NULL) {
if (prm->data_type != OSSL_PARAM_UTF8_STRING)
goto err;
+#ifndef OPENSSL_NO_DH
+ /*
+ * In a no-dh build we just go straight to err because we have no
+ * support for this.
+ */
if (!ffc_set_group_pqg(ffc, prm->data))
+#endif
goto err;
}
diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c
index 89550bedec..63a8bb73b4 100644
--- a/crypto/ffc/ffc_params.c
+++ b/crypto/ffc/ffc_params.c
@@ -215,6 +215,7 @@ int ffc_params_todata(const FFC_PARAMS *ffc, OSSL_PARAM_BLD *bld,
ffc->seed, ffc->seedlen))
return 0;
if (ffc->nid != NID_undef) {
+#ifndef OPENSSL_NO_DH
const char *name = ffc_named_group_from_uid(ffc->nid);
if (name == NULL
@@ -222,6 +223,10 @@ int ffc_params_todata(const FFC_PARAMS *ffc, OSSL_PARAM_BLD *bld,
OSSL_PKEY_PARAM_FFC_GROUP,
name))
return 0;
+#else
+ /* How could this be? We should not have a nid in a no-dh build. */
+ return 0;
+#endif
}
return 1;
}
diff --git a/providers/implementations/serializers/serializer_ffc_params.c b/providers/implementations/serializers/serializer_ffc_params.c
index 20cf4b3d24..98c9886ce9 100644
--- a/providers/implementations/serializers/serializer_ffc_params.c
+++ b/providers/implementations/serializers/serializer_ffc_params.c
@@ -15,6 +15,7 @@
int ffc_params_prov_print(BIO *out, const FFC_PARAMS *ffc)
{
if (ffc->nid != NID_undef) {
+#ifndef OPENSSL_NO_DH
const char *name = ffc_named_group_from_uid(ffc->nid);
if (name == NULL)
@@ -22,6 +23,10 @@ int ffc_params_prov_print(BIO *out, const FFC_PARAMS *ffc)
if (ossl_prov_bio_printf(out, "GROUP: %s\n", name) <= 0)
goto err;
return 1;
+#else
+ /* How could this be? We should not have a nid in a no-dh build. */
+ goto err;
+#endif
}
if (!ossl_prov_print_labeled_bignum(out, "P: ", ffc->p))
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index 024d8c7ca5..65485fe50d 100644
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -101,19 +101,28 @@ ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
"fipsinstall fails when the DRBG CTR result is corrupted");
# corrupt a KAS test
-ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile,
- '-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
- '-section_name', 'fips_install',
- '-corrupt_desc', 'DH',
- '-corrupt_type', 'KAT_KA'])),
- "fipsinstall fails when the kas result is corrupted");
+SKIP: {
+ skip "Skipping KAS DH corruption test because of no dh in this build", 1
+ if disabled("dh");
+
+ ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile,
+ '-provider_name', 'fips', '-mac_name', 'HMAC',
+ '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-section_name', 'fips_install',
+ '-corrupt_desc', 'DH',
+ '-corrupt_type', 'KAT_KA'])),
+ "fipsinstall fails when the kas result is corrupted");
+}
# corrupt a Signature test
-ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile,
- '-provider_name', 'fips', '-mac_name', 'HMAC',
- '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
- '-section_name', 'fips_install',
- '-corrupt_desc', 'DSA',
- '-corrupt_type', 'KAT_Signature'])),
- "fipsinstall fails when the signature result is corrupted");
+SKIP: {
+ skip "Skipping Signature DSA corruption test because of no dsa in this build", 1
+ if disabled("dsa");
+ ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile,
+ '-provider_name', 'fips', '-mac_name', 'HMAC',
+ '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-section_name', 'fips_install',
+ '-corrupt_desc', 'DSA',
+ '-corrupt_type', 'KAT_Signature'])),
+ "fipsinstall fails when the signature result is corrupted");
+}
More information about the openssl-commits
mailing list