The branch openssl-3.0 has been updated via 5b896265e7305f85f3b14283869393c255ab401e (commit) from f8543a08ffe18485b2e1361d4f496d33d6e6f35e (commit)
- Log ----------------------------------------------------------------- commit 5b896265e7305f85f3b14283869393c255ab401e Author: Dmitry Belyavskiy <beld...@gmail.com> Date: Wed Sep 22 16:40:13 2021 +0200 FIPS and KTLS may interfere New Linux kernels (>= 5.11) enable KTLS CHACHA which is not FIPS-suitable. Fixes #16657 Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16658) (cherry picked from commit a5d8a2f8f10b83e5afb297698fe72cee77b1837f) ----------------------------------------------------------------------- Summary of changes: .github/workflows/ci.yml | 13 +++++++++++++ test/sslapitest.c | 10 ++++++++++ 2 files changed, 23 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c7a344c529..b52b8c15f4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -179,6 +179,19 @@ jobs: - name: make test run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + fips_and_ktls: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: modprobe tls + run: sudo modprobe tls + - name: config + run: ./config --banner=Configured --strict-warnings enable-ktls enable-fips && perl configdata.pm --dump + - name: make + run: make -s -j4 + - name: make test + run: make test HARNESS_JOBS=${HARNESS_JOBS:-4} + no-legacy: runs-on: ubuntu-latest steps: diff --git a/test/sslapitest.c b/test/sslapitest.c index e95d2657f4..7af0eab3fc 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, goto end; } + if (is_fips && strstr(cipher, "CHACHA") != NULL) { + testresult = TEST_skip("CHACHA is not supported in FIPS"); + goto end; + } + /* Create a session based on SHA-256 */ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), @@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher) goto end; } + if (is_fips && strstr(cipher, "CHACHA") != NULL) { + testresult = TEST_skip("CHACHA is not supported in FIPS"); + goto end; + } + /* Create a session based on SHA-256 */ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),