From b33a90d20b3b68d6bc59c9b4251819df9ebe3e86 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 9 Jan 2026 20:58:03 +0100 Subject: [PATCH] tests: Provide minimal openssl configuration file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When we use empty configuration file, some stuff go south in c10s and for example fips mode detection does not work anymore. Providing minimal configuration file avoids the issues of loading the provider too early, while keeping fips mode activation working and tests happy. It also configures the pkcs11-provider to assume the token provides FIPS approved crypto so the tests can work. Signed-off-by: Jakub Jelen Reviewed-by: Pavol Žáčik Reviewed-by: Andreas Schneider --- tests/client/torture_auth_pkcs11.c | 2 +- tests/etc/openssl.cnf | 11 +++++++++++ tests/unittests/torture_pki_ecdsa_uri.c | 2 +- tests/unittests/torture_pki_ed25519_uri.c | 2 +- tests/unittests/torture_pki_rsa_uri.c | 2 +- 5 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 tests/etc/openssl.cnf diff --git a/tests/client/torture_auth_pkcs11.c b/tests/client/torture_auth_pkcs11.c index bb856c9c..d33a400b 100644 --- a/tests/client/torture_auth_pkcs11.c +++ b/tests/client/torture_auth_pkcs11.c @@ -283,7 +283,7 @@ int torture_run_tests(void) * tokens, causing unexpected failures. * Make sure this comes before ssh_init(), which initializes OpenSSL! */ - setenv("OPENSSL_CONF", "/dev/null", 1); + setenv("OPENSSL_CONF", SOURCEDIR "/tests/etc/openssl.cnf", 1); ssh_init(); torture_filter_tests(tests); diff --git a/tests/etc/openssl.cnf b/tests/etc/openssl.cnf new file mode 100644 index 00000000..7149b6bf --- /dev/null +++ b/tests/etc/openssl.cnf @@ -0,0 +1,11 @@ +openssl_conf = openssl_init +[openssl_init] +providers = provider_sect +[provider_sect] +default = default_sect +pkcs11 = pkcs11_sect +[default_sect] +activate = 1 +[pkcs11_sect] +activate = 1 +pkcs11-module-assume-fips = true diff --git a/tests/unittests/torture_pki_ecdsa_uri.c b/tests/unittests/torture_pki_ecdsa_uri.c index c7b043ff..7e6cb8bf 100644 --- a/tests/unittests/torture_pki_ecdsa_uri.c +++ b/tests/unittests/torture_pki_ecdsa_uri.c @@ -569,7 +569,7 @@ int torture_run_tests(void) { * tokens, causing unexpected failures. * Make sure this comes before ssh_init(), which initializes OpenSSL! */ - setenv("OPENSSL_CONF", "/dev/null", 1); + setenv("OPENSSL_CONF", SOURCEDIR "/tests/etc/openssl.cnf", 1); ssh_init(); ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity); diff --git a/tests/unittests/torture_pki_ed25519_uri.c b/tests/unittests/torture_pki_ed25519_uri.c index 25992799..09ccab4f 100644 --- a/tests/unittests/torture_pki_ed25519_uri.c +++ b/tests/unittests/torture_pki_ed25519_uri.c @@ -338,7 +338,7 @@ int torture_run_tests(void) * tokens, causing unexpected failures. * Make sure this comes before ssh_init(), which initializes OpenSSL! */ - setenv("OPENSSL_CONF", "/dev/null", 1); + setenv("OPENSSL_CONF", SOURCEDIR "/tests/etc/openssl.cnf", 1); ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity); diff --git a/tests/unittests/torture_pki_rsa_uri.c b/tests/unittests/torture_pki_rsa_uri.c index 4e47c4f0..645f5465 100644 --- a/tests/unittests/torture_pki_rsa_uri.c +++ b/tests/unittests/torture_pki_rsa_uri.c @@ -291,7 +291,7 @@ torture_run_tests(void) * tokens, causing unexpected failures. * Make sure this comes before ssh_init(), which initializes OpenSSL! */ - setenv("OPENSSL_CONF", "/dev/null", 1); + setenv("OPENSSL_CONF", SOURCEDIR "/tests/etc/openssl.cnf", 1); ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);