Skip to content

Commit

Permalink
Merge pull request #664 from junaruga/wip/fips-test-pkey-fix-pending-…
Browse files Browse the repository at this point in the history
…tests

test/openssl/test_pkey.rb: Fix pending tests in FIPS case.
  • Loading branch information
rhenium authored Aug 16, 2023
2 parents 6424402 + f9980d8 commit 283958a
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 5 deletions.
15 changes: 10 additions & 5 deletions test/openssl/test_pkey.rb
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,7 @@ def test_hmac_sign_verify
end

def test_ed25519
# https://github.com/openssl/openssl/issues/20758
pend('Not supported on FIPS mode enabled') if OpenSSL.fips_mode
pend_on_openssl_issue_21493

# Test vector from RFC 8032 Section 7.1 TEST 2
priv_pem = <<~EOF
Expand All @@ -101,7 +100,13 @@ def test_ed25519
pub = OpenSSL::PKey.read(pub_pem)
rescue OpenSSL::PKey::PKeyError
# OpenSSL < 1.1.1
pend "Ed25519 is not implemented"
if !openssl?(1, 1, 1)
pend "Ed25519 is not implemented"
elsif OpenSSL.fips_mode && openssl?(3, 1, 0, 0)
# See OpenSSL providers/fips/fipsprov.c PROV_NAMES_ED25519 entries
# with FIPS_UNAPPROVED_PROPERTIES in OpenSSL 3.1+.
pend "Ed25519 is not approved in OpenSSL 3.1+ FIPS code"
end
end
assert_instance_of OpenSSL::PKey::PKey, priv
assert_instance_of OpenSSL::PKey::PKey, pub
Expand Down Expand Up @@ -143,7 +148,7 @@ def test_ed25519
end

def test_x25519
pend('Not supported on FIPS mode enabled') if OpenSSL.fips_mode
pend_on_openssl_issue_21493

# Test vector from RFC 7748 Section 6.1
alice_pem = <<~EOF
Expand Down Expand Up @@ -197,7 +202,7 @@ def raw_initialize
end

def test_compare?
pend('Not supported on FIPS mode enabled') if OpenSSL.fips_mode
pend_on_openssl_issue_21493

key1 = Fixtures.pkey("rsa1024")
key2 = Fixtures.pkey("rsa1024")
Expand Down
16 changes: 16 additions & 0 deletions test/openssl/utils.rb
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,22 @@ def libressl?(major = nil, minor = nil, fix = nil)
return false unless version
!major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0
end

# OpenSSL 3: x25519 a decode from and then encode to a pem file corrupts the
# key if fips+base provider is used
# This issue happens in OpenSSL between 3.0,0 and 3.0.10 or between 3.1.0 and
# 3.1.2.
# https://github.com/openssl/openssl/issues/21493
# https://github.com/openssl/openssl/pull/21519
def pend_on_openssl_issue_21493
if OpenSSL.fips_mode &&
(
(openssl?(3, 0, 0, 0) && !openssl?(3, 0, 0, 11)) ||
(openssl?(3, 1, 0, 0) && !openssl?(3, 1, 0, 3))
)
pend('See <https://github.com/openssl/openssl/issues/21493>')
end
end
end

class OpenSSL::TestCase < Test::Unit::TestCase
Expand Down

0 comments on commit 283958a

Please sign in to comment.