[openssl] openssl-3.0 update

Fri, 24 Sep 2021 02:08:36 -0700 

The branch openssl-3.0 has been updated
       via  5b896265e7305f85f3b14283869393c255ab401e (commit)
      from  f8543a08ffe18485b2e1361d4f496d33d6e6f35e (commit)


- Log -----------------------------------------------------------------
commit 5b896265e7305f85f3b14283869393c255ab401e
Author: Dmitry Belyavskiy <beld...@gmail.com>
Date:   Wed Sep 22 16:40:13 2021 +0200

    FIPS and KTLS may interfere
    
    New Linux kernels (>= 5.11) enable KTLS CHACHA which is not
    FIPS-suitable.
    
    Fixes #16657
    
    Reviewed-by: Paul Dale <pa...@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16658)
    
    (cherry picked from commit a5d8a2f8f10b83e5afb297698fe72cee77b1837f)

-----------------------------------------------------------------------

Summary of changes:
 .github/workflows/ci.yml | 13 +++++++++++++
 test/sslapitest.c        | 10 ++++++++++
 2 files changed, 23 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c7a344c529..b52b8c15f4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -179,6 +179,19 @@ jobs:
     - name: make test
       run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
 
+  fips_and_ktls:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: modprobe tls
+      run: sudo modprobe tls
+    - name: config
+      run: ./config --banner=Configured --strict-warnings enable-ktls 
enable-fips && perl configdata.pm --dump
+    - name: make
+      run: make -s -j4
+    - name: make test
+      run: make test HARNESS_JOBS=${HARNESS_JOBS:-4}
+
   no-legacy:
     runs-on: ubuntu-latest
     steps:
diff --git a/test/sslapitest.c b/test/sslapitest.c
index e95d2657f4..7af0eab3fc 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls,
         goto end;
     }
 
+    if (is_fips && strstr(cipher, "CHACHA") != NULL) {
+        testresult = TEST_skip("CHACHA is not supported in FIPS");
+        goto end;
+    }
+
     /* Create a session based on SHA-256 */
     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
                                        TLS_client_method(),
@@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, 
const char *cipher)
         goto end;
     }
 
+    if (is_fips && strstr(cipher, "CHACHA") != NULL) {
+        testresult = TEST_skip("CHACHA is not supported in FIPS");
+        goto end;
+    }
+
     /* Create a session based on SHA-256 */
     if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
                                        TLS_client_method(),

Reply via email to