Run sslapi test with the FIPS module#11508
Run sslapi test with the FIPS module#11508mattcaswell wants to merge 8 commits intoopenssl:masterfrom
Conversation
mattcaswell
added
branch: master
|
Fixup pushed containing some code that I had locally but somehow managed to miss including in this PR |
mattcaswell
changed the title
|
Updated to address comments above. |
paulidale
added
approval: done
We also don't load the default provider into the default libctx to make sure there is no accidental "leakage".
There were a few places where we were not passing through the libctx when constructing and EVP_PKEY_CTX.
mattcaswell
force-pushed
the
run-sslapi-in-fips
branch
from
5a2a471 to
a55518a
Compare
mattcaswell
changed the title
|
Fixup pushed addressing the comment from @levitte above. |
|
I have added a change to skip the fips tests if "fips" is disabled. |
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
| "passwd.txt"), $tmpfilename, "fips", | ||
| srctop_file("test", "fips.cnf")])), | ||
| "running sslapitest"); | ||
| unless ($no_fips) { |
There was a problem hiding this comment.
Would a SKIP block here be more sensible? It avoids computing the number of tests in the plan.
There was a problem hiding this comment.
we do it this way in quite a few other places..
There was a problem hiding this comment.
As for resetting the timer, I'm unsure.
I dont think it needs to restart - all that got changed is that a test that is not supposed to run doesnt run now.
There was a problem hiding this comment.
I'm fine either way, there isn't a lot of different.
This is fixing up the wrong commit - but that can be addressed during merge |
|
Apparently the github UI won't let me approve my own PR. But anyway for the record I approve Shane's last commit - and will sort out during the push to make sure it fixes up the correct commit. |
|
Pushed! Thanks. |
We also don't load the default provider into the default libctx to make sure there is no accidental "leakage". Reviewed-by: Paul Dale <[email protected]> (Merged from #11508)
Reviewed-by: Paul Dale <[email protected]> (Merged from #11508)
There were a few places where we were not passing through the libctx when constructing and EVP_PKEY_CTX. Reviewed-by: Paul Dale <[email protected]> (Merged from #11508)
6 participants
We run sslapitest twice: Once with a non-default library context with the default provider loaded into it, and once with a non-default library context with the FIPS provider loaded into it. In both cases we load the "null" provider into the default context to make sure we don't accidentally pick up algorithms from there.
This will fail when running the sslapitest since it requires all the key gen PRs to be merged first (and I have not included them here). However, aside from the dependencies this should be fairly complete and can be reviewed.