1#! /usr/bin/env perl 2# Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the Apache License 2.0 (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9use OpenSSL::Test::Utils; 10use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file result_dir result_file/; 11use File::Temp qw(tempfile); 12 13BEGIN { 14setup("test_sslapi"); 15} 16 17my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); 18my $fipsmodcfg_filename = "fipsmodule.cnf"; 19my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); 20 21my $provconf = srctop_file("test", "fips-and-base.cnf"); 22 23# A modified copy of "fipsmodule.cnf" 24my $fipsmodcfgnew_filename = "fipsmodule_mod.cnf"; 25my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename); 26 27# An interum modified copy of "fipsmodule.cnf" 28my $fipsmodcfgtmp_filename = "fipsmodule_tmp.cnf"; 29my $fipsmodcfgtmp = result_file($fipsmodcfgtmp_filename); 30 31# A modified copy of "fips-and-base.cnf" 32my $provconfnew = result_file("fips-and-base-temp.cnf"); 33 34plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" 35 if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); 36 37plan tests => 4; 38 39(undef, my $tmpfilename) = tempfile(); 40 41ok(run(test(["sslapitest", srctop_dir("test", "certs"), 42 srctop_file("test", "recipes", "90-test_sslapi_data", 43 "passwd.txt"), $tmpfilename, "default", 44 srctop_file("test", "default.cnf"), 45 srctop_file("test", 46 "recipes", 47 "90-test_sslapi_data", 48 "dhparams.pem"), 49 srctop_dir("test", 50 "recipes", 51 "90-test_sslapi_data")])), 52 "running sslapitest"); 53 54SKIP: { 55 skip "Skipping FIPS tests", 2 56 if $no_fips; 57 58 # NOTE that because by default we setup fips provider in pedantic mode, 59 # with >= 3.1.0 this just runs test_no_ems() to check that the connection 60 # fails if ems is not used and the fips check is enabled. 61 ok(run(test(["sslapitest", srctop_dir("test", "certs"), 62 srctop_file("test", "recipes", "90-test_sslapi_data", 63 "passwd.txt"), $tmpfilename, "fips", 64 $provconf, 65 srctop_file("test", 66 "recipes", 67 "90-test_sslapi_data", 68 "dhparams.pem"), 69 srctop_dir("test", 70 "recipes", 71 "90-test_sslapi_data")])), 72 "running sslapitest with default fips config"); 73 74 run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), 75 capture => 1, statusvar => \my $exit); 76 77 skip "FIPS provider version is too old for TLS_PRF EMS option test", 1 78 if !$exit; 79 80 # Read in a text $infile and replace the regular expression in $srch with the 81 # value in $repl and output to a new file $outfile. 82 sub replace_line_file_internal { 83 84 my ($infile, $srch, $repl, $outfile) = @_; 85 my $msg; 86 87 open(my $in, "<", $infile) or return 0; 88 read($in, $msg, 1024); 89 close $in; 90 91 $msg =~ s/$srch/$repl/; 92 93 open(my $fh, ">", $outfile) or return 0; 94 print $fh $msg; 95 close $fh; 96 return 1; 97 } 98 99 # Read in the text input file $infile 100 # and replace a single Key = Value line with a new value in $value. 101 # OR remove the Key = Value line if the passed in $value is empty. 102 # and then output a new file $outfile. 103 # $key is the Key to find 104 sub replace_kv_file { 105 my ($infile, $key, $value, $outfile) = @_; 106 my $srch = qr/$key\s*=\s*\S*\n/; 107 my $rep; 108 if ($value eq "") { 109 $rep = ""; 110 } else { 111 $rep = "$key = $value\n"; 112 } 113 return replace_line_file_internal($infile, $srch, $rep, $outfile); 114 } 115 116 # Read in the text $input file 117 # and search for the $key and replace with $newkey 118 # and then output a new file $outfile. 119 sub replace_line_file { 120 my ($infile, $key, $newkey, $outfile) = @_; 121 my $srch = qr/$key/; 122 my $rep = "$newkey"; 123 return replace_line_file_internal($infile, 124 $srch, $rep, $outfile); 125 } 126 127 # The default fipsmodule.cnf in tests is set with -pedantic. 128 # In order to enable the tls1-prf-ems-check=0 in a fips config file 129 # copy the existing fipsmodule.cnf and modify it. 130 # Then copy fips-and-base.cfg to make a file that includes the changed file 131 $ENV{OPENSSL_CONF_INCLUDE} = result_dir(); 132 ok(replace_kv_file($fipsmodcfg, 133 'tls1-prf-ems-check', '0', 134 $fipsmodcfgtmp) 135 && replace_kv_file($fipsmodcfgtmp, 136 'rsa-pkcs15-pad-disabled', '0', 137 $fipsmodcfgnew) 138 && replace_line_file($provconf, 139 $fipsmodcfg_filename, $fipsmodcfgnew_filename, 140 $provconfnew) 141 && run(test(["sslapitest", srctop_dir("test", "certs"), 142 srctop_file("test", "recipes", "90-test_sslapi_data", 143 "passwd.txt"), 144 $tmpfilename, "fips", 145 $provconfnew, 146 srctop_file("test", 147 "recipes", 148 "90-test_sslapi_data", 149 "dhparams.pem"), 150 srctop_dir("test", 151 "recipes", 152 "90-test_sslapi_data")])), 153 "running sslapitest with modified fips config"); 154} 155 156ok(run(test(["ssl_handshake_rtt_test"])),"running ssl_handshake_rtt_test"); 157 158unlink $tmpfilename; 159