Add 'fips-securitychecks' option and plumb this into the actual fips checks

[openssl.git] / test / evp_test.c

diff --git a/test/evp_test.c b/test/evp_test.c
index 958718b1ba79680f3487537c060e19306c4f57ba..14ea4a84966d2f912d9b021dfdb05ff4eac6fee9 100644 (file)
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -27,8 +27,6 @@
 #include "testutil.h"
 #include "evp_test.h"
 
-DEFINE_STACK_OF_STRING()
-
 #define AAD_NUM 4
 
 typedef struct evp_test_method_st EVP_TEST_METHOD;
@@ -1151,7 +1149,7 @@ static int mac_test_run_pkey(EVP_TEST *t)
                   OBJ_nid2sn(expected->type), expected->alg);
 
     if (expected->type == EVP_PKEY_CMAC) {
-        if (is_cipher_disabled(expected->alg)) {
+        if (expected->alg != NULL && is_cipher_disabled(expected->alg)) {
             TEST_info("skipping, PKEY CMAC '%s' is disabled", expected->alg);
             t->skip = 1;
             t->err = NULL;
@@ -1161,8 +1159,10 @@ static int mac_test_run_pkey(EVP_TEST *t)
             t->err = "MAC_KEY_CREATE_ERROR";
             goto err;
         }
-        key = EVP_PKEY_new_CMAC_key(NULL, expected->key, expected->key_len,
-                                    cipher);
+        key = EVP_PKEY_new_CMAC_key_with_libctx(expected->key,
+                                                expected->key_len,
+                                                EVP_CIPHER_name(cipher),
+                                                libctx, NULL);
     } else {
         key = EVP_PKEY_new_raw_private_key_with_libctx(libctx,
                                                        OBJ_nid2sn(expected->type),
@@ -1174,7 +1174,7 @@ static int mac_test_run_pkey(EVP_TEST *t)
         goto err;
     }
 
-    if (expected->type == EVP_PKEY_HMAC) {
+    if (expected->type == EVP_PKEY_HMAC && expected->alg != NULL) {
         if (is_digest_disabled(expected->alg)) {
             TEST_info("skipping, HMAC '%s' is disabled", expected->alg);
             t->skip = 1;
@@ -1627,8 +1627,11 @@ static int pderive_test_parse(EVP_TEST *t,
         EVP_PKEY *peer;
         if (find_key(&peer, value, public_keys) == 0)
             return -1;
-        if (EVP_PKEY_derive_set_peer(kdata->ctx, peer) <= 0)
-            return -1;
+        if (EVP_PKEY_derive_set_peer(kdata->ctx, peer) <= 0) {
+            t->err = "DERIVE_SET_PEER_ERROR";
+            return 1;
+        }
+        t->err = NULL;
         return 1;
     }
     if (strcmp(keyword, "SharedSecret") == 0)
@@ -3251,11 +3254,10 @@ static void free_key_list(KEY_LIST *lst)
  */
 static int key_unsupported(void)
 {
-    long err = ERR_peek_error();
+    long err = ERR_peek_last_error();
 
     if (ERR_GET_LIB(err) == ERR_LIB_EVP
-            && (ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_ALGORITHM
-                || ERR_GET_REASON(err) == EVP_R_FETCH_FAILED)) {
+            && (ERR_GET_REASON(err) == EVP_R_UNSUPPORTED_ALGORITHM)) {
         ERR_clear_error();
         return 1;
     }
@@ -3266,7 +3268,8 @@ static int key_unsupported(void)
      * disabled).
      */
     if (ERR_GET_LIB(err) == ERR_LIB_EC
-        && ERR_GET_REASON(err) == EC_R_UNKNOWN_GROUP) {
+        && (ERR_GET_REASON(err) == EC_R_UNKNOWN_GROUP
+            || ERR_GET_REASON(err) == EC_R_INVALID_CURVE)) {
         ERR_clear_error();
         return 1;
     }
@@ -3440,7 +3443,14 @@ start:
     }
 
     for (pp++, i = 1; i < (t->s.numpairs - skip_availablein); pp++, i++) {
-        if (strcmp(pp->key, "Availablein") == 0) {
+        if (strcmp(pp->key, "Securitycheck") == 0) {
+#if defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
+            TEST_info("skipping, securitycheck is not available: %s:%d",
+                      t->s.test_file, t->s.start);
+            t->skip = 1;
+            return 0;
+#endif
+        } else if (strcmp(pp->key, "Availablein") == 0) {
             TEST_info("Line %d: 'Availablein' should be the first option",
                       t->s.curr);
             return 0;