From 4660bdea07e185b96c3b91be3e3b0a38959626ac Mon Sep 17 00:00:00 2001 From: Shane Lontis Date: Thu, 11 Apr 2019 09:47:12 +1000 Subject: [PATCH] Added Test::ok_nofips, Test::is_nofips & Test::isnt_nofips methods. Used to check that a test fails in fips mode i.e. ok_nofips(run(...)) Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8661) --- util/perl/OpenSSL/Test.pm | 70 +++++++++++++++++++++++++++++++-- util/perl/OpenSSL/Test/Utils.pm | 5 ++- 2 files changed, 70 insertions(+), 5 deletions(-) diff --git a/util/perl/OpenSSL/Test.pm b/util/perl/OpenSSL/Test.pm index daf40cb102..5d6e9d9b6c 100644 --- a/util/perl/OpenSSL/Test.pm +++ b/util/perl/OpenSSL/Test.pm @@ -1,4 +1,4 @@ -# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -14,7 +14,7 @@ use Test::More 0.96; use Exporter; use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); -$VERSION = "0.8"; +$VERSION = "1.0"; @ISA = qw(Exporter); @EXPORT = (@Test::More::EXPORT, qw(setup run indir cmd app fuzz test perlapp perltest subtest)); @@ -22,7 +22,8 @@ $VERSION = "0.8"; srctop_dir srctop_file data_file data_dir pipe with cmdstr quotify - openssl_versions)); + openssl_versions + ok_nofips is_nofips isnt_nofips)); =head1 NAME @@ -831,6 +832,63 @@ sub openssl_versions { return @versions; } +=over 4 + +=item B + +C is equivalent to using C when the environment variable +C is undefined, otherwise it is equivalent to C. This can be +used for C tests that must fail when testing a FIPS provider. The parameters +are the same as used by C which is an expression EXPR followed by the test +description TEST_NAME. + +An example: + + ok_nofips(run(app(["md5.pl"])), "md5 should fail in fips mode"); + +=item B + +C is equivalent to using C when the environment variable +C is undefined, otherwise it is equivalent to C. This can be +used for C tests that must fail when testing a FIPS provider. The parameters +are the same as used by C which has 2 arguments EXPR1 and EXPR2 that can be +compared using eq or ne, followed by a test description TEST_NAME. + +An example: + + is_nofips(ultimate_answer(), 42, "Meaning of Life"); + +=item B + +C is equivalent to using C when the environment variable +C is undefined, otherwise it is equivalent to C. This can be +used for C tests that must fail when testing a FIPS provider. The +parameters are the same as used by C which has 2 arguments EXPR1 and EXPR2 +that can be compared using ne or eq, followed by a test description TEST_NAME. + +An example: + + isnt_nofips($foo, '', "Got some foo"); + +=back + +=cut + +sub ok_nofips { + return ok(!$_[0], @_[1..$#_]) if defined $ENV{FIPS_MODE}; + return ok($_[0], @_[1..$#_]); +} + +sub is_nofips { + return isnt($_[0], $_[1], @_[2..$#_]) if defined $ENV{FIPS_MODE}; + return is($_[0], $_[1], @_[2..$#_]); +} + +sub isnt_nofips { + return is($_[0], $_[1], @_[2..$#_]) if defined $ENV{FIPS_MODE}; + return isnt($_[0], $_[1], @_[2..$#_]); +} + ###################################################################### # private functions. These are never exported. @@ -861,6 +919,12 @@ are located. Defaults to C<$TOP/test> (adapted to the operating system). If defined, it puts testing in a different mode, where a recipe with failures will result in a C at the end of its run. +=item B + +If defined it indicates that the FIPS provider is being tested. Tests may use +B, B and B to invert test results +i.e. Some tests may only work in non FIPS mode. + =back =cut diff --git a/util/perl/OpenSSL/Test/Utils.pm b/util/perl/OpenSSL/Test/Utils.pm index 18ef9685a2..dcff6a5c99 100644 --- a/util/perl/OpenSSL/Test/Utils.pm +++ b/util/perl/OpenSSL/Test/Utils.pm @@ -1,4 +1,4 @@ -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -53,6 +53,7 @@ STRING is "tls", or for all the available DTLS versions if STRING is returned list can be used with B and B. =item B + =item B In an array context returns an array with each element set to 1 if the @@ -67,6 +68,7 @@ disabled. Returns an item from the %config hash in \$TOP/configdata.pm. =item B + =item B Return true if IPv4 / IPv6 is possible to use on the current system. @@ -225,7 +227,6 @@ sub have_IPv6 { return $have_IPv6; } - =head1 SEE ALSO L