diff options
| author | Clemens Lang <cllang@redhat.com> | 2022-07-01 14:50:59 +0200 |
|---|---|---|
| committer | Dmitry Belyavskiy <beldmit@gmail.com> | 2022-08-17 09:20:41 +0200 |
| commit | ae3c30acac17271693e91dcae42c804cd96e8f93 (patch) | |
| tree | b10156e34912a65aca895334701ba8517f44b881 /test/recipes | |
| parent | 45479dcee1672661e4f5b6d8b6c9a50453581e65 (diff) | |
| download | openssl-new-ae3c30acac17271693e91dcae42c804cd96e8f93.tar.gz | |
APPS: dhparam: Support setting properties
The -provider and -propquery options did not work on dhparam. Fix this
and add tests that check that operations that would usually fail with
the FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
Diffstat (limited to 'test/recipes')
| -rw-r--r-- | test/recipes/20-test_dhparam.t | 34 |
1 files changed, 32 insertions, 2 deletions
diff --git a/test/recipes/20-test_dhparam.t b/test/recipes/20-test_dhparam.t index 9688b10dbb..72c878371e 100644 --- a/test/recipes/20-test_dhparam.t +++ b/test/recipes/20-test_dhparam.t @@ -10,7 +10,7 @@ use strict; use warnings; -use OpenSSL::Test qw(:DEFAULT data_file); +use OpenSSL::Test qw(:DEFAULT data_file srctop_file); use OpenSSL::Test::Utils; #Tests for the dhparam CLI application @@ -19,7 +19,9 @@ setup("test_dhparam"); plan skip_all => "DH is not supported in this build" if disabled("dh"); -plan tests => 17; +plan tests => 21; + +my $fipsconf = srctop_file("test", "fips-and-base.cnf"); sub checkdhparams { my $file = shift; #Filename containing params @@ -179,6 +181,34 @@ SKIP: { checkdhparams("gen-x942-0-512.der", "X9.42", 0, "DER", 512); }; } +SKIP: { + skip "Skipping tests that are only supported in a fips build with security ". + "checks", 4 if (disabled("fips") || disabled("fips-securitychecks")); + + $ENV{OPENSSL_CONF} = $fipsconf; + + ok(!run(app(['openssl', 'dhparam', '-check', '512'])), + "Generating 512 bit DH params should fail in FIPS mode"); + + ok(run(app(['openssl', 'dhparam', '-provider', 'default', '-propquery', + '?fips!=yes', '-check', '512'])), + "Generating 512 bit DH params should succeed in FIPS mode using". + " non-FIPS property query"); + + SKIP: { + skip "Skipping tests that require DSA", 2 if disabled("dsa"); + + ok(!run(app(['openssl', 'dhparam', '-dsaparam', '-check', '512'])), + "Generating 512 bit DSA-style DH params should fail in FIPS mode"); + + ok(run(app(['openssl', 'dhparam', '-provider', 'default', '-propquery', + '?fips!=yes', '-dsaparam', '-check', '512'])), + "Generating 512 bit DSA-style DH params should succeed in FIPS". + " mode using non-FIPS property query"); + } + + delete $ENV{OPENSSL_CONF}; +} ok(run(app(["openssl", "dhparam", "-noout", "-text"], stdin => data_file("pkcs3-2-1024.pem"))), |