Commit a31d5fe8f7 for openssl.org
commit a31d5fe8f718c6f5ac22567d58273a21993d5345
Author: Mayank Jangid <mayank.jangid.moon@gmail.com>
Date: Tue Apr 28 23:10:42 2026 +0530
test: skip verify_recover regression for FIPS
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed May 27 11:46:44 2026
(Merged from https://github.com/openssl/openssl/pull/30917)
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index c8343936f0..7242166e76 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -4036,12 +4036,11 @@ err:
return ret;
}
-static int do_RSA_verify_recover_rejects_short_buffer(EVP_PKEY *pkey,
- const char *propq)
+static int test_RSA_verify_recover_rejects_short_buffer(void)
{
int ret = 0;
int recovered_cap = 0;
- EVP_MD *sha256 = NULL;
+ EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *sign_ctx = NULL, *verify_ctx = NULL;
unsigned char *sig = NULL, *recovered = NULL;
size_t sig_len = 0, recovered_len = 0;
@@ -4054,14 +4053,16 @@ static int do_RSA_verify_recover_rejects_short_buffer(EVP_PKEY *pkey,
for (i = 0; i < sizeof(digest); i++)
digest[i] = (unsigned char)i;
- if (!TEST_ptr(pkey)
- || !TEST_ptr(sha256 = EVP_MD_fetch(testctx, "SHA2-256", propq))
- || !TEST_ptr(sign_ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, propq))
+ if (OSSL_PROVIDER_available(testctx, "fips"))
+ return TEST_skip("Test skipped for FIPS provider");
+
+ if (!TEST_ptr(pkey = load_example_rsa_key())
+ || !TEST_ptr(sign_ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey, NULL))
|| !TEST_int_gt(EVP_PKEY_sign_init(sign_ctx), 0)
|| !TEST_int_gt(EVP_PKEY_CTX_set_rsa_padding(sign_ctx,
RSA_PKCS1_PADDING),
0)
- || !TEST_int_gt(EVP_PKEY_CTX_set_signature_md(sign_ctx, sha256),
+ || !TEST_int_gt(EVP_PKEY_CTX_set_signature_md(sign_ctx, EVP_sha256()),
0)
|| !TEST_int_gt(EVP_PKEY_sign(sign_ctx, NULL, &sig_len, digest,
sizeof(digest)),
@@ -4073,12 +4074,12 @@ static int do_RSA_verify_recover_rejects_short_buffer(EVP_PKEY *pkey,
|| !TEST_int_gt(recovered_cap = EVP_PKEY_get_size(pkey), 0)
|| !TEST_ptr(recovered = OPENSSL_malloc(recovered_cap))
|| !TEST_ptr(verify_ctx = EVP_PKEY_CTX_new_from_pkey(testctx, pkey,
- propq))
+ NULL))
|| !TEST_int_gt(EVP_PKEY_verify_recover_init(verify_ctx), 0)
|| !TEST_int_gt(EVP_PKEY_CTX_set_rsa_padding(verify_ctx,
RSA_PKCS1_PADDING),
0)
- || !TEST_int_gt(EVP_PKEY_CTX_set_signature_md(verify_ctx, sha256),
+ || !TEST_int_gt(EVP_PKEY_CTX_set_signature_md(verify_ctx, EVP_sha256()),
0))
goto done;
@@ -4106,62 +4107,14 @@ static int do_RSA_verify_recover_rejects_short_buffer(EVP_PKEY *pkey,
ret = 1;
done:
- EVP_MD_free(sha256);
EVP_PKEY_CTX_free(sign_ctx);
EVP_PKEY_CTX_free(verify_ctx);
+ EVP_PKEY_free(pkey);
OPENSSL_free(sig);
OPENSSL_free(recovered);
return ret;
}
-static int test_RSA_verify_recover_rejects_short_buffer(void)
-{
- int ret = 0;
- EVP_PKEY *pkey = NULL;
-
- if (!TEST_ptr(pkey = load_example_rsa_key()))
- goto done;
-
- ret = do_RSA_verify_recover_rejects_short_buffer(pkey, NULL);
-
-done:
- EVP_PKEY_free(pkey);
- return ret;
-}
-
-static int test_RSA_verify_recover_rejects_short_buffer_fips(void)
-{
- static const char fips_propq[] = "provider=fips";
- int fipsver = 0;
- int ret = 0;
- EVP_PKEY *pkey = NULL;
- OSSL_PROVIDER *fipsprov = NULL;
-
- if (!OSSL_PROVIDER_available(testctx, "fips"))
- return TEST_skip("Test requires FIPS provider");
-
- if (!TEST_ptr(fipsprov = OSSL_PROVIDER_load(testctx, "fips")))
- goto done;
- if (!TEST_int_ge(fipsver = fips_provider_version_match(testctx,
- "!3.0.0 !3.0.8 !3.0.9 !3.1.2"),
- 0))
- goto done;
- if (fipsver == 0) {
- ret = TEST_skip("Test skipped for old FIPS providers");
- goto done;
- }
- if (!TEST_ptr(pkey = EVP_PKEY_Q_keygen(testctx, fips_propq, "RSA",
- (size_t)2048)))
- goto done;
-
- ret = do_RSA_verify_recover_rejects_short_buffer(pkey, fips_propq);
-
-done:
- EVP_PKEY_free(pkey);
- OSSL_PROVIDER_unload(fipsprov);
- return ret;
-}
-
static int test_RSA_encrypt(void)
{
int ret = 0;
@@ -8085,7 +8038,6 @@ int setup_tests(void)
ADD_TEST(test_RSA_OAEP_set_get_params);
ADD_TEST(test_RSA_OAEP_set_null_label);
ADD_TEST(test_RSA_verify_recover_rejects_short_buffer);
- ADD_TEST(test_RSA_verify_recover_rejects_short_buffer_fips);
ADD_TEST(test_RSA_encrypt);
#ifndef OPENSSL_NO_DEPRECATED_3_0
ADD_TEST(test_RSA_legacy);