xref: /openssl/test/recipes/90-test_sslapi.t (revision 7ed6de99) 
1#! /usr/bin/env perl
2# Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3#
4# Licensed under the Apache License 2.0 (the "License").  You may not use
5# this file except in compliance with the License.  You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9use OpenSSL::Test::Utils;
10use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file result_dir result_file/;
11use File::Temp qw(tempfile);
12
13BEGIN {
14setup("test_sslapi");
15}
16
17my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
18my $fipsmodcfg_filename = "fipsmodule.cnf";
19my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename);
20
21my $provconf = srctop_file("test", "fips-and-base.cnf");
22
23# A modified copy of "fipsmodule.cnf"
24my $fipsmodcfgnew_filename = "fipsmodule_mod.cnf";
25my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename);
26
27# An interum modified copy of "fipsmodule.cnf"
28my $fipsmodcfgtmp_filename = "fipsmodule_tmp.cnf";
29my $fipsmodcfgtmp = result_file($fipsmodcfgtmp_filename);
30
31# A modified copy of "fips-and-base.cnf"
32my $provconfnew = result_file("fips-and-base-temp.cnf");
33
34plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
35    if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
36
37plan tests => 4;
38
39(undef, my $tmpfilename) = tempfile();
40
41ok(run(test(["sslapitest", srctop_dir("test", "certs"),
42             srctop_file("test", "recipes", "90-test_sslapi_data",
43                         "passwd.txt"), $tmpfilename, "default",
44             srctop_file("test", "default.cnf"),
45             srctop_file("test",
46                         "recipes",
47                         "90-test_sslapi_data",
48                         "dhparams.pem")])),
49             "running sslapitest");
50
51SKIP: {
52    skip "Skipping FIPS tests", 2
53        if $no_fips;
54
55    # NOTE that because by default we setup fips provider in pedantic mode,
56    # with >= 3.1.0 this just runs test_no_ems() to check that the connection
57    # fails if ems is not used and the fips check is enabled.
58    ok(run(test(["sslapitest", srctop_dir("test", "certs"),
59                 srctop_file("test", "recipes", "90-test_sslapi_data",
60                             "passwd.txt"), $tmpfilename, "fips",
61                 $provconf,
62                 srctop_file("test",
63                             "recipes",
64                             "90-test_sslapi_data",
65                             "dhparams.pem")])),
66                 "running sslapitest with default fips config");
67
68    run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
69             capture => 1, statusvar => \my $exit);
70
71    skip "FIPS provider version is too old for TLS_PRF EMS option test", 1
72        if !$exit;
73
74    # Read in a text $infile and replace the regular expression in $srch with the
75    # value in $repl and output to a new file $outfile.
76    sub replace_line_file_internal {
77
78        my ($infile, $srch, $repl, $outfile) = @_;
79        my $msg;
80
81        open(my $in, "<", $infile) or return 0;
82        read($in, $msg, 1024);
83        close $in;
84
85        $msg =~ s/$srch/$repl/;
86
87        open(my $fh, ">", $outfile) or return 0;
88        print $fh $msg;
89        close $fh;
90        return 1;
91    }
92
93    # Read in the text input file $infile
94    # and replace a single Key = Value line with a new value in $value.
95    # OR remove the Key = Value line if the passed in $value is empty.
96    # and then output a new file $outfile.
97    # $key is the Key to find
98    sub replace_kv_file {
99        my ($infile, $key, $value, $outfile) = @_;
100        my $srch = qr/$key\s*=\s*\S*\n/;
101        my $rep;
102        if ($value eq "") {
103            $rep = "";
104        } else {
105           $rep = "$key = $value\n";
106        }
107        return replace_line_file_internal($infile, $srch, $rep, $outfile);
108    }
109
110    # Read in the text $input file
111    # and search for the $key and replace with $newkey
112    # and then output a new file $outfile.
113    sub replace_line_file {
114        my ($infile, $key, $newkey, $outfile) = @_;
115        my $srch = qr/$key/;
116        my $rep = "$newkey";
117        return replace_line_file_internal($infile,
118                                          $srch, $rep, $outfile);
119    }
120
121    # The default fipsmodule.cnf in tests is set with -pedantic.
122    # In order to enable the tls1-prf-ems-check=0 in a fips config file
123    # copy the existing fipsmodule.cnf and modify it.
124    # Then copy fips-and-base.cfg to make a file that includes the changed file
125    $ENV{OPENSSL_CONF_INCLUDE} = result_dir();
126    ok(replace_kv_file($fipsmodcfg,
127                       'tls1-prf-ems-check', '0',
128                       $fipsmodcfgtmp)
129       && replace_kv_file($fipsmodcfgtmp,
130                          'rsa-pkcs15-pad-disabled', '0',
131                          $fipsmodcfgnew)
132       && replace_line_file($provconf,
133                            $fipsmodcfg_filename, $fipsmodcfgnew_filename,
134                            $provconfnew)
135       && run(test(["sslapitest", srctop_dir("test", "certs"),
136                    srctop_file("test", "recipes", "90-test_sslapi_data",
137                                "passwd.txt"),
138                    $tmpfilename, "fips",
139                    $provconfnew,
140                    srctop_file("test",
141                                "recipes",
142                                "90-test_sslapi_data",
143                                "dhparams.pem")])),
144       "running sslapitest with modified fips config");
145}
146
147ok(run(test(["ssl_handshake_rtt_test"])),"running ssl_handshake_rtt_test");
148
149unlink $tmpfilename;
150