Test that we can use the FIPS provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8537)

test/build.info

@@ -186,6 +186,9 @@ IF[{- !$disabled{tests} -}]
   SOURCE[evp_extra_test]=evp_extra_test.c
   INCLUDE[evp_extra_test]=../include ../apps/include ../crypto/include
   DEPEND[evp_extra_test]=../libcrypto libtestutil.a
+  IF[{- $disabled{fips} || !$target{dso_scheme} -}]
+    DEFINE[evp_extra_test]=NO_FIPS_MODULE
+  ENDIF
 
   SOURCE[igetest]=igetest.c
   INCLUDE[igetest]=../include ../apps/include

test/evp_extra_test.c

@@ -1098,12 +1098,14 @@ static int calculate_digest(const EVP_MD *md, const char *msg, size_t len,
  * Test 0: Test with the default OPENSSL_CTX
  * Test 1: Test with an explicit OPENSSL_CTX
  * Test 2: Explicit OPENSSL_CTX with explicit load of default provider
+ * Test 3: Explicit OPENSSL_CTX with explicit load of default and fips provider
+ * Test 4: Explicit OPENSSL_CTX with explicit load of fips provider
  */
 static int test_EVP_MD_fetch(int tst)
 {
     OPENSSL_CTX *ctx = NULL;
     EVP_MD *md = NULL;
-    OSSL_PROVIDER *prov = NULL;
+    OSSL_PROVIDER *defltprov = NULL, *fipsprov = NULL;
     int ret = 0;
     const char testmsg[] = "Hello world";
     const unsigned char exptd[] = {
@@ -1117,9 +1119,14 @@ static int test_EVP_MD_fetch(int tst)
         if (!TEST_ptr(ctx))
             goto err;
 
-        if (tst == 2) {
-            prov = OSSL_PROVIDER_load(ctx, "default");
-            if (!TEST_ptr(prov))
+        if (tst == 2 || tst == 3) {
+            defltprov = OSSL_PROVIDER_load(ctx, "default");
+            if (!TEST_ptr(defltprov))
+                goto err;
+        }
+        if (tst == 3 || tst == 4) {
+            fipsprov = OSSL_PROVIDER_load(ctx, "fips");
+            if (!TEST_ptr(fipsprov))
                 goto err;
         }
     }
@@ -1132,8 +1139,8 @@ static int test_EVP_MD_fetch(int tst)
         goto err;
 
     /*
-     * Test that without loading any providers or specifying any properties we
-     * can get a sha256 md from the default provider.
+     * Test that without specifying any properties we can get a sha256 md from a
+     * provider.
      */
     if (!TEST_ptr(md = EVP_MD_fetch(ctx, "SHA256", NULL))
             || !TEST_ptr(md)
@@ -1152,28 +1159,67 @@ static int test_EVP_MD_fetch(int tst)
     md = NULL;
 
     /*
-     * We've only loaded the default provider so explicitly asking for a
-     * non-default implementation should fail.
+     * In tests 0 - 2 we've only loaded the default provider so explicitly
+     * asking for a non-default implementation should fail. In tests 3 and 4 we
+     * have the FIPS provider loaded so we should succeed in that case.
      */
-    if (!TEST_ptr_null(md = EVP_MD_fetch(ctx, "SHA256", "default=no")))
-        goto err;
+    md = EVP_MD_fetch(ctx, "SHA256", "default=no");
+    if (tst == 3 || tst == 4) {
+        if (!TEST_ptr(md)
+                || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg),
+                                               exptd)))
+            goto err;
+    } else  {
+        if (!TEST_ptr_null(md))
+            goto err;
+    }
 
-    /* Explicitly asking for the default implementation should succeeed */
-    if (!TEST_ptr(md = EVP_MD_fetch(ctx, "SHA256", "default=yes"))
-            || !TEST_int_eq(EVP_MD_nid(md), NID_sha256)
-            || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg), exptd))
-            || !TEST_int_eq(EVP_MD_size(md), SHA256_DIGEST_LENGTH)
-            || !TEST_int_eq(EVP_MD_block_size(md), SHA256_CBLOCK))
-        goto err;
+    EVP_MD_meth_free(md);
+    md = NULL;
+
+    /*
+     * Explicitly asking for the default implementation should succeeed except
+     * in test 4 where the default provider is not loaded.
+     */
+    md = EVP_MD_fetch(ctx, "SHA256", "default=yes");
+    if (tst != 4) {
+        if (!TEST_ptr(md)
+                || !TEST_int_eq(EVP_MD_nid(md), NID_sha256)
+                || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg),
+                                               exptd))
+                || !TEST_int_eq(EVP_MD_size(md), SHA256_DIGEST_LENGTH)
+                || !TEST_int_eq(EVP_MD_block_size(md), SHA256_CBLOCK))
+            goto err;
+    } else {
+        if (!TEST_ptr_null(md))
+            goto err;
+    }
 
     EVP_MD_meth_free(md);
     md = NULL;
 
+    /*
+     * Explicitly asking for a fips implementation should succeed if we have
+     * the FIPS provider loaded and fail otherwise
+     */
+    md = EVP_MD_fetch(ctx, "SHA256", "fips=yes");
+    if (tst == 3 || tst == 4) {
+        if (!TEST_ptr(md)
+                || !TEST_true(calculate_digest(md, testmsg, sizeof(testmsg),
+                                               exptd)))
+            goto err;
+    } else  {
+        if (!TEST_ptr_null(md))
+            goto err;
+    }
+
+
     ret = 1;
 
  err:
     EVP_MD_meth_free(md);
-    OSSL_PROVIDER_unload(prov);
+    OSSL_PROVIDER_unload(defltprov);
+    OSSL_PROVIDER_unload(fipsprov);
     OPENSSL_CTX_free(ctx);
     return ret;
 }
@@ -1207,6 +1253,10 @@ int setup_tests(void)
     ADD_ALL_TESTS(test_invalide_ec_char2_pub_range_decode,
                   OSSL_NELEM(ec_der_pub_keys));
 #endif
+#ifdef NO_FIPS_MODULE
     ADD_ALL_TESTS(test_EVP_MD_fetch, 3);
+#else
+    ADD_ALL_TESTS(test_EVP_MD_fetch, 5);
+#endif
     return 1;
 }

test/recipes/30-test_evp_extra.t

@@ -10,9 +10,12 @@
 use strict;
 use warnings;
 
-use OpenSSL::Test;
+use OpenSSL::Test qw/:DEFAULT bldtop_dir/;
 
 setup("test_evp_extra");
 
 plan tests => 1;
+
+$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
+
 ok(run(test(["evp_extra_test"])), "running evp_extra_test");