Dev news

Commit d40bfaca75 for openssl.org

commit d40bfaca75c2e44eeada073359e2f51f59add1ab
Author: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Date:   Fri Apr 25 23:56:48 2025 +0100

    fips: Skip testing RFC 9579 good files as they use short salt & password

    The RFC 9579 good files are always tested with the default provider.

    The RFC 9579 good files use too short salt, and too short password
    that a sticrly compliant FIPS provider with lower bounds enforcement
    should no longer able to open.

    If checking positive files is desired, these could be regenerated with
    longer salt and password, but not too sure if it is worth it.

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    MergeDate: Wed Mar  4 17:25:53 2026
    (Merged from https://github.com/openssl/openssl/pull/27431)

diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 329f3a134b..56a8e3fcb7 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -56,7 +56,7 @@ $ENV{OPENSSL_WIN32_UTF8}=1;

 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);

-plan tests => $no_fips ? 58 : 69;
+plan tests => $no_fips ? 58 : 63;

 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -213,28 +213,6 @@ for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_
       "test pbmac1 pkcs12 file $file");
 }

-
-unless ($no_fips) {
-    my $provpath = bldtop_dir("providers");
-    my $provconf = srctop_file("test", "fips-and-base.cnf");
-    my $provname = 'fips';
-    my @prov = ("-provider-path", $provpath,
-                "-provider", $provname);
-    local $ENV{OPENSSL_CONF} = $provconf;
-
-# Test pbmac1 pkcs12 good files, RFC 9579
-    for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_512.good.p12")
-    {
-        my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
-        ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-password", "pass:1234", "-noenc"])),
-           "test pbmac1 pkcs12 file $file");
-
-        ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-info", "-noout",
-                    "-passin", "pass:1234"], stderr => "${file}_info.txt")),
-           "test_export_pkcs12_${file}_info");
-    }
-}
-
 # Test pbmac1 pkcs12 bad files, RFC 9579 and CVE-2025-11187
 for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12",
               "pbmac1_256_256.no-len.p12", "pbmac1_256_256.bad-len.p12",