]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 875a791)
fips: Skip testing RFC 9579 good files as they use short salt & password
authorDimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Fri, 25 Apr 2025 22:56:48 +0000 (23:56 +0100)
committerTomas Mraz <tomas@openssl.org>
Wed, 4 Mar 2026 17:24:45 +0000 (18:24 +0100)
The RFC 9579 good files are always tested with the default provider.

The RFC 9579 good files use too short salt, and too short password
that a sticrly compliant FIPS provider with lower bounds enforcement
should no longer able to open.

If checking positive files is desired, these could be regenerated with
longer salt and password, but not too sure if it is worth it.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar  4 17:25:53 2026
(Merged from https://github.com/openssl/openssl/pull/27431)

test/recipes/80-test_pkcs12.t patch | blob | blame | history

diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 329f3a134bcc80c852a7b141e491d1136c508fc5..56a8e3fcb7ceda48cdbe76523e189d0236e0d547 100644 (file)
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -56,7 +56,7 @@ $ENV{OPENSSL_WIN32_UTF8}=1;
 
 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 
-plan tests => $no_fips ? 58 : 69;
+plan tests => $no_fips ? 58 : 63;
 
 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -213,28 +213,6 @@ for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_
       "test pbmac1 pkcs12 file $file");
 }
 
-
-unless ($no_fips) {
-    my $provpath = bldtop_dir("providers");
-    my $provconf = srctop_file("test", "fips-and-base.cnf");
-    my $provname = 'fips';
-    my @prov = ("-provider-path", $provpath,
-                "-provider", $provname);
-    local $ENV{OPENSSL_CONF} = $provconf;
-
-# Test pbmac1 pkcs12 good files, RFC 9579
-    for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_512.good.p12")
-    {
-        my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
-        ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-password", "pass:1234", "-noenc"])),
-           "test pbmac1 pkcs12 file $file");
-
-        ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-info", "-noout",
-                    "-passin", "pass:1234"], stderr => "${file}_info.txt")),
-           "test_export_pkcs12_${file}_info");
-    }
-}
-
 # Test pbmac1 pkcs12 bad files, RFC 9579 and CVE-2025-11187
 for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12",
               "pbmac1_256_256.no-len.p12", "pbmac1_256_256.bad-len.p12",
Mirror of https://github.com/openssl/openssl.git