From d13ada4eccbc00ce88841e0b5f7d17c1f4cf4158 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Thu, 9 Mar 2023 14:09:14 +0900
Subject: tests: skip TLS 1.2 resume tests without EMS under FIPS

In FIPS mode, extended master secret is required and those tests are
not supported.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 tests/multi-alerts.c                            |  8 ++++
 tests/no-extensions.c                           |  7 +++
 tests/ocsp-tests/ocsp-must-staple-connection.sh | 60 +++++++++++++------------
 tests/rehandshake-ext-secret.c                  |  8 ++++
 tests/resume.c                                  | 19 ++++++--
 tests/status-request.c                          |  8 +++-
 6 files changed, 77 insertions(+), 33 deletions(-)

(limited to 'tests')

diff --git a/tests/multi-alerts.c b/tests/multi-alerts.c
index bbd6df25b8..7412d48fa1 100644
--- a/tests/multi-alerts.c
+++ b/tests/multi-alerts.c
@@ -197,6 +197,14 @@ void doit(void)
 	int sockets[2];
 	int err;
 
+	/* This test does not work under FIPS, as extended master
+	 * secret extension needs to be negotiated through extensions,
+	 * but the fixture does not contain the extension.
+	 */
+	if (gnutls_fips140_mode_enabled()) {
+		exit(77);
+	}
+
 	err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets);
 	if (err == -1) {
 		perror("socketpair");
diff --git a/tests/no-extensions.c b/tests/no-extensions.c
index 87986af2e2..bb543b59bb 100644
--- a/tests/no-extensions.c
+++ b/tests/no-extensions.c
@@ -210,6 +210,13 @@ void start(const char *prio, gnutls_protocol_t exp_version)
 
 void doit(void)
 {
+	/* This test does not work under FIPS, as extended master
+	 * secret extension needs to be negotiated through extensions.
+	 */
+	if (gnutls_fips140_mode_enabled()) {
+		exit(77);
+	}
+
 	start("NORMAL:-VERS-ALL:+VERS-TLS1.0:%NO_EXTENSIONS", GNUTLS_TLS1_0);
 	start("NORMAL:-VERS-ALL:+VERS-TLS1.1:%NO_EXTENSIONS", GNUTLS_TLS1_1);
 	start("NORMAL:-VERS-ALL:+VERS-TLS1.2:%NO_EXTENSIONS", GNUTLS_TLS1_2);
diff --git a/tests/ocsp-tests/ocsp-must-staple-connection.sh b/tests/ocsp-tests/ocsp-must-staple-connection.sh
index eb9d8db7f8..880e50bbe5 100755
--- a/tests/ocsp-tests/ocsp-must-staple-connection.sh
+++ b/tests/ocsp-tests/ocsp-must-staple-connection.sh
@@ -401,39 +401,43 @@ kill "${TLS_SERVER_PID}"
 wait "${TLS_SERVER_PID}"
 unset TLS_SERVER_PID
 
-echo "=== Test 7: OSCP response error - client doesn't send status_request ==="
-
-eval "${GETPORT}"
-# Port for gnutls-serv
-TLS_SERVER_PORT=$PORT
-PORT=${TLS_SERVER_PORT}
-launch_bare_server \
-	  datefudge "${TESTDATE}" \
-	  "${SERV}" --echo --disable-client-cert \
-	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
-	  --x509certfile="${SERVER_CERT_FILE}" \
-	  --port="${TLS_SERVER_PORT}" \
-	  --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
-TLS_SERVER_PID="${!}"
-wait_server $TLS_SERVER_PID
+if test "${GNUTLS_FORCE_FIPS_MODE}" != 1; then
+
+    echo "=== Test 7: OSCP response error - client doesn't send status_request ==="
+
+    eval "${GETPORT}"
+    # Port for gnutls-serv
+    TLS_SERVER_PORT=$PORT
+    PORT=${TLS_SERVER_PORT}
+    launch_bare_server \
+	datefudge "${TESTDATE}" \
+	"${SERV}" --echo --disable-client-cert \
+	--x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+	--x509certfile="${SERVER_CERT_FILE}" \
+	--port="${TLS_SERVER_PORT}" \
+	--ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+    TLS_SERVER_PID="${!}"
+    wait_server $TLS_SERVER_PID
+
+    wait_for_port "${TLS_SERVER_PORT}"
+
+    echo "test 123456" | \
+	datefudge -s "${TESTDATE}" \
+		  "${CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+		  --port="${TLS_SERVER_PORT}" localhost
+    rc=$?
 
-wait_for_port "${TLS_SERVER_PORT}"
+    if test "${rc}" != "0"; then
+	echo "Connecting to server with valid certificate and OCSP error response failed"
+	exit ${rc}
+    fi
 
-echo "test 123456" | \
-    datefudge -s "${TESTDATE}" \
-	      "${CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
-	      --port="${TLS_SERVER_PORT}" localhost
-rc=$?
+    kill "${TLS_SERVER_PID}"
+    wait "${TLS_SERVER_PID}"
+    unset TLS_SERVER_PID
 
-if test "${rc}" != "0"; then
-    echo "Connecting to server with valid certificate and OCSP error response failed"
-    exit ${rc}
 fi
 
-kill "${TLS_SERVER_PID}"
-wait "${TLS_SERVER_PID}"
-unset TLS_SERVER_PID
-
 echo "=== Test 8: OSCP response error - client sends status_request, no TLS feature extension ==="
 
 eval "${GETPORT}"
diff --git a/tests/rehandshake-ext-secret.c b/tests/rehandshake-ext-secret.c
index cdb8f5e838..93d26ca4c7 100644
--- a/tests/rehandshake-ext-secret.c
+++ b/tests/rehandshake-ext-secret.c
@@ -153,6 +153,14 @@ static void try(unsigned onclient)
 
 void doit(void)
 {
+	/* This test does not work with TLS 1.2 under FIPS, as
+	 * extended master secret extension needs to be negotiated
+	 * through extensions, while %NO_SESSION_HASH is set.
+	 */
+	if (gnutls_fips140_mode_enabled()) {
+		exit(77);
+	}
+
 	try(0);
 	reset_buffers();
 	try(1);
diff --git a/tests/resume.c b/tests/resume.c
index d307ee2acc..83e750af66 100644
--- a/tests/resume.c
+++ b/tests/resume.c
@@ -90,6 +90,7 @@ struct params_res {
 	int change_ciphersuite;
 	int early_start;
 	int no_early_start;
+	int no_fips;
 };
 
 pid_t child;
@@ -125,14 +126,16 @@ struct params_res resume_tests[] = {
 	 .enable_session_ticket_client = ST_NONE,
 	 .expect_resume = 0,
 	 .first_no_ext_master = 0,
-	 .second_no_ext_master = 1},
+	 .second_no_ext_master = 1,
+	 .no_fips = 1},
 	{.desc = "try to resume from db (none -> ext master secret)",
 	 .enable_db = 1,
 	 .enable_session_ticket_server = ST_NONE,
 	 .enable_session_ticket_client = ST_NONE,
 	 .expect_resume = 0,
 	 .first_no_ext_master = 1,
-	 .second_no_ext_master = 0},
+	 .second_no_ext_master = 0,
+	 .no_fips = 1},
 # endif
 # if defined(TLS13)
 	/* only makes sense under TLS1.3 as negotiation involves a new
@@ -214,7 +217,8 @@ struct params_res resume_tests[] = {
 	 .enable_session_ticket_client = ST_ALL,
 	 .expect_resume = 0,
 	 .first_no_ext_master = 0,
-	 .second_no_ext_master = 1},
+	 .second_no_ext_master = 1,
+	 .no_fips = 1},
 	{.desc =
 	 "try to resume from session ticket (none -> ext master secret)",
 	 .enable_db = 0,
@@ -222,7 +226,8 @@ struct params_res resume_tests[] = {
 	 .enable_session_ticket_client = ST_ALL,
 	 .expect_resume = 0,
 	 .first_no_ext_master = 1,
-	 .second_no_ext_master = 0},
+	 .second_no_ext_master = 0,
+	 .no_fips = 1},
 	{.desc = "try to resume from session ticket (server only)",
 	 .enable_db = 0,
 	 .enable_session_ticket_server = ST_ALL,
@@ -967,6 +972,12 @@ void doit(void)
 		int client_sds[SESSIONS], server_sds[SESSIONS];
 		int j;
 
+		if (resume_tests[i].no_fips && gnutls_fips140_mode_enabled()) {
+			success("skipping %s under FIPS mode\n",
+				resume_tests[i].desc);
+			continue;
+		}
+
 		printf("%s\n", resume_tests[i].desc);
 
 		for (j = 0; j < SESSIONS; j++) {
diff --git a/tests/status-request.c b/tests/status-request.c
index 752b222d9a..5c165ae5f0 100644
--- a/tests/status-request.c
+++ b/tests/status-request.c
@@ -289,7 +289,13 @@ void start(const char *prio)
 
 void doit(void)
 {
-	start("NORMAL:-VERS-ALL:+VERS-TLS1.2");
+	/* This test does not work with TLS 1.2 under FIPS, as
+	 * extended master secret extension needs to be negotiated
+	 * through extensions.
+	 */
+	if (!gnutls_fips140_mode_enabled()) {
+		start("NORMAL:-VERS-ALL:+VERS-TLS1.2");
+	}
 	start("NORMAL:-VERS-ALL:+VERS-TLS1.3");
 	start("NORMAL");
 }
-- 
cgit v1.2.1