Disable HW acceleration when running TLSProxy tests

IBM reported that, since the introduction of the ossltest provider,
several tests are failing on s390x

They are failing because MAC computation on s390x uses hardware
acceleration, which bypasses the use of the ossltest provided digests.

Because TLSProxy tests rely on the return of known consistent data
(which the ossltest provider gives us), the HW acceleration ignores this
giving us real MAC's instead, causing the test to fail.

We could write an HMAC provided algorithm to override that behavior, but
since this only occurs on s390, and only in cases in which the
TLSprovider is used, it seems simpler, and more maintainable to just
disable hw acceleration on those tests (given that we don't want to use
the accelerated path anyway).

Set the capabilities register for s390 to enforce this in the TLSProxy
code.

Fixes #28630

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28633)

diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm
index 226a7d44b4e30f0380d751fe1cea185419bd1d35..5d578e838e718cb381c5f58b4964019d965a5cdc 100644 (file)
--- a/util/perl/TLSProxy/Proxy.pm
+++ b/util/perl/TLSProxy/Proxy.pm
@@ -275,6 +275,16 @@ sub start
     my ($self) = shift;
     my $pid;
 
+    #
+    # s390x is a somewhat special case here.  It uses hw acceleration under
+    # the covers when computing MACs, and in so doing avoids the use of the
+    # needed ossltest provider when computing the underlying digest.  Since
+    # TLSProxy needs the ossltest provider to compute reliable known data in
+    # the digest, we disable MAC hw accleration here to ensure that the provider
+    # gets used, just as it does with other architectures.
+    #
+    $ENV{OPENSSL_s390xcap} = "kmac:~0:~f000";
+
     # Create the Proxy socket
     my $proxaddr = $self->{proxy_addr};
     $proxaddr =~ s/[\[\]]//g; # Remove [ and ]