diff options
author | Pauli <pauli@openssl.org> | 2023-04-18 14:41:17 +1000 |
---|---|---|
committer | Hugo Landau <hlandau@openssl.org> | 2023-04-21 17:01:38 +0100 |
commit | 4454c20f026bb47f158ea05c207f143c81d674d8 (patch) | |
tree | 0e867fea159ecb114353f6b67767ee67a5165876 /test/helpers | |
parent | e07999369a13a29243f34cbd5d24281783984299 (diff) | |
download | openssl-new-4454c20f026bb47f158ea05c207f143c81d674d8.tar.gz |
test: update ssl_new tests in line with pedantic FIPS policy
Add a new option to the `test' section of SSL test data structure.
This contains a space separated list of version checks, all of which must
pass.
Note that the version checks are as they as because:
- 3.1.0 doesn't have mandatory EMS support, so it can run the old tests.
- 3.1.1 (& later) will have mandatory EMS support, so they can't run them.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)
Diffstat (limited to 'test/helpers')
-rw-r--r-- | test/helpers/ssl_test_ctx.c | 5 | ||||
-rw-r--r-- | test/helpers/ssl_test_ctx.h | 3 |
2 files changed, 8 insertions, 0 deletions
diff --git a/test/helpers/ssl_test_ctx.c b/test/helpers/ssl_test_ctx.c index 1919481b02..c7777f8f07 100644 --- a/test/helpers/ssl_test_ctx.c +++ b/test/helpers/ssl_test_ctx.c @@ -652,6 +652,9 @@ IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, enable_pha) IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_SERVER_CONF, server, force_pha) IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CLIENT_CONF, client, no_extms_on_reneg) +/* FIPS provider version limiting */ +IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, fips_version) + /* Known test options and their corresponding parse methods. */ /* Top-level options. */ @@ -692,6 +695,7 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = { { "EnableServerSCTPLabelBug", &parse_test_enable_server_sctp_label_bug }, { "ExpectedCipher", &parse_test_expected_cipher }, { "ExpectedSessionTicketAppData", &parse_test_expected_session_ticket_app_data }, + { "FIPSversion", &parse_test_fips_version }, }; /* Nested client options. */ @@ -781,6 +785,7 @@ void SSL_TEST_CTX_free(SSL_TEST_CTX *ctx) sk_X509_NAME_pop_free(ctx->expected_server_ca_names, X509_NAME_free); sk_X509_NAME_pop_free(ctx->expected_client_ca_names, X509_NAME_free); OPENSSL_free(ctx->expected_cipher); + OPENSSL_free(ctx->fips_version); OPENSSL_free(ctx); } diff --git a/test/helpers/ssl_test_ctx.h b/test/helpers/ssl_test_ctx.h index 4baf657f6d..982d15a5c3 100644 --- a/test/helpers/ssl_test_ctx.h +++ b/test/helpers/ssl_test_ctx.h @@ -231,6 +231,9 @@ typedef struct { char *expected_session_ticket_app_data; OSSL_LIB_CTX *libctx; + + /* FIPS version string to check for compatibility */ + char *fips_version; } SSL_TEST_CTX; const char *ssl_test_result_name(ssl_test_result_t result); |