diff options
author | Daiki Ueno <ueno@gnu.org> | 2023-03-09 14:09:14 +0900 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2023-03-09 21:17:07 +0900 |
commit | d13ada4eccbc00ce88841e0b5f7d17c1f4cf4158 (patch) | |
tree | e88fb9a9a1a53d4a9f9649ebf147e595430f2487 /tests | |
parent | dd79ac9bcf90012e090726adf7c1940bcce8333f (diff) | |
download | gnutls-d13ada4eccbc00ce88841e0b5f7d17c1f4cf4158.tar.gz |
tests: skip TLS 1.2 resume tests without EMS under FIPS
In FIPS mode, extended master secret is required and those tests are
not supported.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/multi-alerts.c | 8 | ||||
-rw-r--r-- | tests/no-extensions.c | 7 | ||||
-rwxr-xr-x | tests/ocsp-tests/ocsp-must-staple-connection.sh | 60 | ||||
-rw-r--r-- | tests/rehandshake-ext-secret.c | 8 | ||||
-rw-r--r-- | tests/resume.c | 19 | ||||
-rw-r--r-- | tests/status-request.c | 8 |
6 files changed, 77 insertions, 33 deletions
diff --git a/tests/multi-alerts.c b/tests/multi-alerts.c index bbd6df25b8..7412d48fa1 100644 --- a/tests/multi-alerts.c +++ b/tests/multi-alerts.c @@ -197,6 +197,14 @@ void doit(void) int sockets[2]; int err; + /* This test does not work under FIPS, as extended master + * secret extension needs to be negotiated through extensions, + * but the fixture does not contain the extension. + */ + if (gnutls_fips140_mode_enabled()) { + exit(77); + } + err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets); if (err == -1) { perror("socketpair"); diff --git a/tests/no-extensions.c b/tests/no-extensions.c index 87986af2e2..bb543b59bb 100644 --- a/tests/no-extensions.c +++ b/tests/no-extensions.c @@ -210,6 +210,13 @@ void start(const char *prio, gnutls_protocol_t exp_version) void doit(void) { + /* This test does not work under FIPS, as extended master + * secret extension needs to be negotiated through extensions. + */ + if (gnutls_fips140_mode_enabled()) { + exit(77); + } + start("NORMAL:-VERS-ALL:+VERS-TLS1.0:%NO_EXTENSIONS", GNUTLS_TLS1_0); start("NORMAL:-VERS-ALL:+VERS-TLS1.1:%NO_EXTENSIONS", GNUTLS_TLS1_1); start("NORMAL:-VERS-ALL:+VERS-TLS1.2:%NO_EXTENSIONS", GNUTLS_TLS1_2); diff --git a/tests/ocsp-tests/ocsp-must-staple-connection.sh b/tests/ocsp-tests/ocsp-must-staple-connection.sh index eb9d8db7f8..880e50bbe5 100755 --- a/tests/ocsp-tests/ocsp-must-staple-connection.sh +++ b/tests/ocsp-tests/ocsp-must-staple-connection.sh @@ -401,39 +401,43 @@ kill "${TLS_SERVER_PID}" wait "${TLS_SERVER_PID}" unset TLS_SERVER_PID -echo "=== Test 7: OSCP response error - client doesn't send status_request ===" - -eval "${GETPORT}" -# Port for gnutls-serv -TLS_SERVER_PORT=$PORT -PORT=${TLS_SERVER_PORT} -launch_bare_server \ - datefudge "${TESTDATE}" \ - "${SERV}" --echo --disable-client-cert \ - --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ - --x509certfile="${SERVER_CERT_FILE}" \ - --port="${TLS_SERVER_PORT}" \ - --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors -TLS_SERVER_PID="${!}" -wait_server $TLS_SERVER_PID +if test "${GNUTLS_FORCE_FIPS_MODE}" != 1; then + + echo "=== Test 7: OSCP response error - client doesn't send status_request ===" + + eval "${GETPORT}" + # Port for gnutls-serv + TLS_SERVER_PORT=$PORT + PORT=${TLS_SERVER_PORT} + launch_bare_server \ + datefudge "${TESTDATE}" \ + "${SERV}" --echo --disable-client-cert \ + --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \ + --x509certfile="${SERVER_CERT_FILE}" \ + --port="${TLS_SERVER_PORT}" \ + --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors + TLS_SERVER_PID="${!}" + wait_server $TLS_SERVER_PID + + wait_for_port "${TLS_SERVER_PORT}" + + echo "test 123456" | \ + datefudge -s "${TESTDATE}" \ + "${CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \ + --port="${TLS_SERVER_PORT}" localhost + rc=$? -wait_for_port "${TLS_SERVER_PORT}" + if test "${rc}" != "0"; then + echo "Connecting to server with valid certificate and OCSP error response failed" + exit ${rc} + fi -echo "test 123456" | \ - datefudge -s "${TESTDATE}" \ - "${CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \ - --port="${TLS_SERVER_PORT}" localhost -rc=$? + kill "${TLS_SERVER_PID}" + wait "${TLS_SERVER_PID}" + unset TLS_SERVER_PID -if test "${rc}" != "0"; then - echo "Connecting to server with valid certificate and OCSP error response failed" - exit ${rc} fi -kill "${TLS_SERVER_PID}" -wait "${TLS_SERVER_PID}" -unset TLS_SERVER_PID - echo "=== Test 8: OSCP response error - client sends status_request, no TLS feature extension ===" eval "${GETPORT}" diff --git a/tests/rehandshake-ext-secret.c b/tests/rehandshake-ext-secret.c index cdb8f5e838..93d26ca4c7 100644 --- a/tests/rehandshake-ext-secret.c +++ b/tests/rehandshake-ext-secret.c @@ -153,6 +153,14 @@ static void try(unsigned onclient) void doit(void) { + /* This test does not work with TLS 1.2 under FIPS, as + * extended master secret extension needs to be negotiated + * through extensions, while %NO_SESSION_HASH is set. + */ + if (gnutls_fips140_mode_enabled()) { + exit(77); + } + try(0); reset_buffers(); try(1); diff --git a/tests/resume.c b/tests/resume.c index d307ee2acc..83e750af66 100644 --- a/tests/resume.c +++ b/tests/resume.c @@ -90,6 +90,7 @@ struct params_res { int change_ciphersuite; int early_start; int no_early_start; + int no_fips; }; pid_t child; @@ -125,14 +126,16 @@ struct params_res resume_tests[] = { .enable_session_ticket_client = ST_NONE, .expect_resume = 0, .first_no_ext_master = 0, - .second_no_ext_master = 1}, + .second_no_ext_master = 1, + .no_fips = 1}, {.desc = "try to resume from db (none -> ext master secret)", .enable_db = 1, .enable_session_ticket_server = ST_NONE, .enable_session_ticket_client = ST_NONE, .expect_resume = 0, .first_no_ext_master = 1, - .second_no_ext_master = 0}, + .second_no_ext_master = 0, + .no_fips = 1}, # endif # if defined(TLS13) /* only makes sense under TLS1.3 as negotiation involves a new @@ -214,7 +217,8 @@ struct params_res resume_tests[] = { .enable_session_ticket_client = ST_ALL, .expect_resume = 0, .first_no_ext_master = 0, - .second_no_ext_master = 1}, + .second_no_ext_master = 1, + .no_fips = 1}, {.desc = "try to resume from session ticket (none -> ext master secret)", .enable_db = 0, @@ -222,7 +226,8 @@ struct params_res resume_tests[] = { .enable_session_ticket_client = ST_ALL, .expect_resume = 0, .first_no_ext_master = 1, - .second_no_ext_master = 0}, + .second_no_ext_master = 0, + .no_fips = 1}, {.desc = "try to resume from session ticket (server only)", .enable_db = 0, .enable_session_ticket_server = ST_ALL, @@ -967,6 +972,12 @@ void doit(void) int client_sds[SESSIONS], server_sds[SESSIONS]; int j; + if (resume_tests[i].no_fips && gnutls_fips140_mode_enabled()) { + success("skipping %s under FIPS mode\n", + resume_tests[i].desc); + continue; + } + printf("%s\n", resume_tests[i].desc); for (j = 0; j < SESSIONS; j++) { diff --git a/tests/status-request.c b/tests/status-request.c index 752b222d9a..5c165ae5f0 100644 --- a/tests/status-request.c +++ b/tests/status-request.c @@ -289,7 +289,13 @@ void start(const char *prio) void doit(void) { - start("NORMAL:-VERS-ALL:+VERS-TLS1.2"); + /* This test does not work with TLS 1.2 under FIPS, as + * extended master secret extension needs to be negotiated + * through extensions. + */ + if (!gnutls_fips140_mode_enabled()) { + start("NORMAL:-VERS-ALL:+VERS-TLS1.2"); + } start("NORMAL:-VERS-ALL:+VERS-TLS1.3"); start("NORMAL"); } |