int sockets[2];
int err;
+ /* This test does not work under FIPS, as extended master
+ * secret extension needs to be negotiated through extensions,
+ * but the fixture does not contain the extension.
+ */
+ if (gnutls_fips140_mode_enabled()) {
+ exit(77);
+ }
+
err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets);
if (err == -1) {
perror("socketpair");
void doit(void)
{
+ /* This test does not work under FIPS, as extended master
+ * secret extension needs to be negotiated through extensions.
+ */
+ if (gnutls_fips140_mode_enabled()) {
+ exit(77);
+ }
+
start("NORMAL:-VERS-ALL:+VERS-TLS1.0:%NO_EXTENSIONS", GNUTLS_TLS1_0);
start("NORMAL:-VERS-ALL:+VERS-TLS1.1:%NO_EXTENSIONS", GNUTLS_TLS1_1);
start("NORMAL:-VERS-ALL:+VERS-TLS1.2:%NO_EXTENSIONS", GNUTLS_TLS1_2);
wait "${TLS_SERVER_PID}"
unset TLS_SERVER_PID
-echo "=== Test 7: OSCP response error - client doesn't send status_request ==="
-
-eval "${GETPORT}"
-# Port for gnutls-serv
-TLS_SERVER_PORT=$PORT
-PORT=${TLS_SERVER_PORT}
-launch_bare_server \
- datefudge "${TESTDATE}" \
- "${SERV}" --echo --disable-client-cert \
- --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
- --x509certfile="${SERVER_CERT_FILE}" \
- --port="${TLS_SERVER_PORT}" \
- --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
-TLS_SERVER_PID="${!}"
-wait_server $TLS_SERVER_PID
+if test "${GNUTLS_FORCE_FIPS_MODE}" != 1; then
+
+ echo "=== Test 7: OSCP response error - client doesn't send status_request ==="
+
+ eval "${GETPORT}"
+ # Port for gnutls-serv
+ TLS_SERVER_PORT=$PORT
+ PORT=${TLS_SERVER_PORT}
+ launch_bare_server \
+ datefudge "${TESTDATE}" \
+ "${SERV}" --echo --disable-client-cert \
+ --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ --x509certfile="${SERVER_CERT_FILE}" \
+ --port="${TLS_SERVER_PORT}" \
+ --ocsp-response="${srcdir}/ocsp-tests/response3.der" --ignore-ocsp-response-errors
+ TLS_SERVER_PID="${!}"
+ wait_server $TLS_SERVER_PID
+
+ wait_for_port "${TLS_SERVER_PORT}"
+
+ echo "test 123456" | \
+ datefudge -s "${TESTDATE}" \
+ "${CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ --port="${TLS_SERVER_PORT}" localhost
+ rc=$?
-wait_for_port "${TLS_SERVER_PORT}"
+ if test "${rc}" != "0"; then
+ echo "Connecting to server with valid certificate and OCSP error response failed"
+ exit ${rc}
+ fi
-echo "test 123456" | \
- datefudge -s "${TESTDATE}" \
- "${CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
- --port="${TLS_SERVER_PORT}" localhost
-rc=$?
+ kill "${TLS_SERVER_PID}"
+ wait "${TLS_SERVER_PID}"
+ unset TLS_SERVER_PID
-if test "${rc}" != "0"; then
- echo "Connecting to server with valid certificate and OCSP error response failed"
- exit ${rc}
fi
-kill "${TLS_SERVER_PID}"
-wait "${TLS_SERVER_PID}"
-unset TLS_SERVER_PID
-
echo "=== Test 8: OSCP response error - client sends status_request, no TLS feature extension ==="
eval "${GETPORT}"
void doit(void)
{
+ /* This test does not work with TLS 1.2 under FIPS, as
+ * extended master secret extension needs to be negotiated
+ * through extensions, while %NO_SESSION_HASH is set.
+ */
+ if (gnutls_fips140_mode_enabled()) {
+ exit(77);
+ }
+
try(0);
reset_buffers();
try(1);
int change_ciphersuite;
int early_start;
int no_early_start;
+ int no_fips;
};
pid_t child;
.enable_session_ticket_client = ST_NONE,
.expect_resume = 0,
.first_no_ext_master = 0,
- .second_no_ext_master = 1},
+ .second_no_ext_master = 1,
+ .no_fips = 1},
{.desc = "try to resume from db (none -> ext master secret)",
.enable_db = 1,
.enable_session_ticket_server = ST_NONE,
.enable_session_ticket_client = ST_NONE,
.expect_resume = 0,
.first_no_ext_master = 1,
- .second_no_ext_master = 0},
+ .second_no_ext_master = 0,
+ .no_fips = 1},
# endif
# if defined(TLS13)
/* only makes sense under TLS1.3 as negotiation involves a new
.enable_session_ticket_client = ST_ALL,
.expect_resume = 0,
.first_no_ext_master = 0,
- .second_no_ext_master = 1},
+ .second_no_ext_master = 1,
+ .no_fips = 1},
{.desc =
"try to resume from session ticket (none -> ext master secret)",
.enable_db = 0,
.enable_session_ticket_client = ST_ALL,
.expect_resume = 0,
.first_no_ext_master = 1,
- .second_no_ext_master = 0},
+ .second_no_ext_master = 0,
+ .no_fips = 1},
{.desc = "try to resume from session ticket (server only)",
.enable_db = 0,
.enable_session_ticket_server = ST_ALL,
int client_sds[SESSIONS], server_sds[SESSIONS];
int j;
+ if (resume_tests[i].no_fips && gnutls_fips140_mode_enabled()) {
+ success("skipping %s under FIPS mode\n",
+ resume_tests[i].desc);
+ continue;
+ }
+
printf("%s\n", resume_tests[i].desc);
for (j = 0; j < SESSIONS; j++) {
void doit(void)
{
- start("NORMAL:-VERS-ALL:+VERS-TLS1.2");
+ /* This test does not work with TLS 1.2 under FIPS, as
+ * extended master secret extension needs to be negotiated
+ * through extensions.
+ */
+ if (!gnutls_fips140_mode_enabled()) {
+ start("NORMAL:-VERS-ALL:+VERS-TLS1.2");
+ }
start("NORMAL:-VERS-ALL:+VERS-TLS1.3");
start("NORMAL");
}
projects / thirdparty / gnutls.git / commitdiff
