[openssl] master update

beldmit at gmail.com beldmit at gmail.com
Fri Sep 24 09:07:44 UTC 2021 

The branch master has been updated
       via  a5d8a2f8f10b83e5afb297698fe72cee77b1837f (commit)
      from  aa58071e4b8b245db1564f476731c978738e7e98 (commit)


- Log -----------------------------------------------------------------
commit a5d8a2f8f10b83e5afb297698fe72cee77b1837f
Author: Dmitry Belyavskiy <beldmit at gmail.com>
Date:   Wed Sep 22 16:40:13 2021 +0200

    FIPS and KTLS may interfere
    
    New Linux kernels (>= 5.11) enable KTLS CHACHA which is not
    FIPS-suitable.
    
    Fixes #16657
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16658)

-----------------------------------------------------------------------

Summary of changes:
 .github/workflows/ci.yml | 13 +++++++++++++
 test/sslapitest.c        | 10 ++++++++++
 2 files changed, 23 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c7a344c529..b52b8c15f4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -179,6 +179,19 @@ jobs:
     - name: make test
       run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
 
+  fips_and_ktls:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout at v2
+    - name: modprobe tls
+      run: sudo modprobe tls
+    - name: config
+      run: ./config --banner=Configured --strict-warnings enable-ktls enable-fips && perl configdata.pm --dump
+    - name: make
+      run: make -s -j4
+    - name: make test
+      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
+
   no-legacy:
     runs-on: ubuntu-latest
     steps:
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 1337698e0d..25dc61b876 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,
         goto end;
     }
 
+    if (is_fips && strstr(cipher, "CHACHA") != NULL) {
+        testresult = TEST_skip("CHACHA is not supported in FIPS");
+        goto end;
+    }
+
     /* Create a session based on SHA-256 */
     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
                                        TLS_client_method(),
@@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher)
         goto end;
     }
 
+    if (is_fips && strstr(cipher, "CHACHA") != NULL) {
+        testresult = TEST_skip("CHACHA is not supported in FIPS");
+        goto end;
+    }
+
     /* Create a session based on SHA-256 */
     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
                                        TLS_client_method(),

More information about the openssl-commits mailing list