From: Pauli Date: Fri, 2 Aug 2024 01:50:59 +0000 (+1000) Subject: test: update SSL old test in light of PKCS#1 version 1.5 padding change under FIPS X-Git-Tag: openssl-3.4.0-alpha1~199 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d0575619ad60ccf5e48a7fae9d569f450e893b9a;p=thirdparty%2Fopenssl.git test: update SSL old test in light of PKCS#1 version 1.5 padding change under FIPS Reviewed-by: Shane Lontis Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/25070) --- diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index b967dc14c56..71db50c9c2a 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -13,7 +13,7 @@ use warnings; use POSIX; use File::Basename; use File::Copy; -use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr data_file/; +use OpenSSL::Test qw/:DEFAULT with bldtop_file bldtop_dir srctop_file srctop_dir cmdstr data_file result_dir result_file/; use OpenSSL::Test::Utils; BEGIN { @@ -79,7 +79,7 @@ my $client_sess="client.ss"; # If you're adding tests here, you probably want to convert them to the # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead. plan tests => - ($no_fips ? 0 : 6) # testssl with fips provider + ($no_fips ? 0 : 7) # testssl with fips provider + 1 # For testss + 5 # For the testssl with default provider + 1 # For security level 0 failure tests @@ -105,8 +105,69 @@ if (disabled("legacy")) { testssl($Ukey, $Ucert, $CAcert, "default", $configfile); unless ($no_fips) { - testssl($Ukey, $Ucert, $CAcert, "fips", - srctop_file("test","fips-and-base.cnf")); + # Read in a text $infile and replace the regular expression in $srch with the + # value in $repl and output to a new file $outfile. + sub replace_line_file_internal { + + my ($infile, $srch, $repl, $outfile) = @_; + my $msg; + + open(my $in, "<", $infile) or return 0; + read($in, $msg, 1024); + close $in; + + $msg =~ s/$srch/$repl/; + + open(my $fh, ">", $outfile) or return 0; + print $fh $msg; + close $fh; + return 1; + } + + # Read in the text input file $infile + # and replace a single Key = Value line with a new value in $value. + # OR remove the Key = Value line if the passed in $value is empty. + # and then output a new file $outfile. + # $key is the Key to find + sub replace_kv_file { + my ($infile, $key, $value, $outfile) = @_; + my $srch = qr/$key\s*=\s*\S*\n/; + my $rep; + if ($value eq "") { + $rep = ""; + } else { + $rep = "$key = $value\n"; + } + return replace_line_file_internal($infile, $srch, $rep, $outfile); + } + + # Read in the text $input file + # and search for the $key and replace with $newkey + # and then output a new file $outfile. + sub replace_line_file { + my ($infile, $key, $newkey, $outfile) = @_; + my $srch = qr/$key/; + my $rep = "$newkey"; + return replace_line_file_internal($infile, + $srch, $rep, $outfile); + } + + # Rewrite the module configuration to all PKCS#1 v1.5 padding + my $fipsmodcfg_filename = "fipsmodule.cnf"; + my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); + my $provconf = srctop_file("test", "fips-and-base.cnf"); + my $provconfnew = result_file("fips-and-base-temp.cnf"); + my $fipsmodcfgnew_filename = "fipsmodule_mod.cnf"; + my $fipsmodcfgnew = result_file($fipsmodcfgnew_filename); + $ENV{OPENSSL_CONF_INCLUDE} = result_dir(); + ok(replace_kv_file($fipsmodcfg, + 'rsa-pkcs15-padding-disabled', '0', + $fipsmodcfgnew) + && replace_line_file($provconf, + $fipsmodcfg_filename, $fipsmodcfgnew_filename, + $provconfnew)); + + testssl($Ukey, $Ucert, $CAcert, "fips", $provconfnew); } # -----------