test: make unit tests FIPS provider version aware

[paulidale]

This PR is to address the CI failures when running 3.0.x against the validated 3.0.0 FIPS provider.
Adding additional test cases is separate.

Fixes #19171

• documentation is added or updated
• tests are added or updated

[paulidale]

An alternative would be to version check all of the currently loaded providers against the testable version rather than just the FIPS provider.

[slontis]

Should this be discussed in OTC?

[slontis]

Looks ok to me Pauli

[slontis]

@paulidale

As @t8m suggested changing the code in EVP_PKEY_eq() to this seems to work

    if (a->keymgmt != NULL || b->keymgmt != NULL) {
        int selection = SELECT_PARAMETERS;

        if (evp_keymgmt_util_has((EVP_PKEY *)a, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)
             && evp_keymgmt_util_has((EVP_PKEY *)b, OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
            selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
        else
            selection |= OSSL_KEYMGMT_SELECT_KEYPAIR;
        return evp_pkey_cmp_any(a, b, selection);
    }

30-test_evp_extra.t passes if you also check b

[paulidale]

With that last change the test log is now:

04-test_encoder_decoder.t        (Wstat: 256 Tests: 3 Failed: 1)
  Failed test:  3
  Non-zero exit status: 1
25-test_verify.t                 (Wstat: 512 Tests: 182 Failed: 2)
  Failed tests:  134-135
  Non-zero exit status: 2

[levitte]

@paulidale

As @t8m suggested changing the code in EVP_PKEY_eq() to this seems to work

    if (a->keymgmt != NULL || b->keymgmt != NULL) {
        int selection = SELECT_PARAMETERS;

        if (evp_keymgmt_util_has((EVP_PKEY *)a, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)
             && evp_keymgmt_util_has((EVP_PKEY *)b, OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
            selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
        else
            selection |= OSSL_KEYMGMT_SELECT_KEYPAIR;
        return evp_pkey_cmp_any(a, b, selection);
    }

30-test_evp_extra.t passes if you also check b

The way I'm reading this is that with this change, all the stuff done in test/ in this PR can be dropped. Did I read that wrong?

[slontis]

@paulidale
As @t8m suggested changing the code in EVP_PKEY_eq() to this seems to work

    if (a->keymgmt != NULL || b->keymgmt != NULL) {
        int selection = SELECT_PARAMETERS;

        if (evp_keymgmt_util_has((EVP_PKEY *)a, OSSL_KEYMGMT_SELECT_PUBLIC_KEY)
             && evp_keymgmt_util_has((EVP_PKEY *)b, OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
            selection |= OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
        else
            selection |= OSSL_KEYMGMT_SELECT_KEYPAIR;
        return evp_pkey_cmp_any(a, b, selection);
    }

30-test_evp_extra.t passes if you also check b

The way I'm reading this is that with this change, all the stuff done in test/ in this PR can be dropped. Did I read that wrong?

Yes you read it wrong.. There are a group of tests that access EVP_PKEY_eq() internally that currently fail.. such as the ssl related tests and cms. This change fixes that issue.. There are numerous other issues because we added tests to check new behaviour, or we broke tests because we changed behaviour (such as not allowing Explicit EC curves).

[paulidale]

As @slontis wrote, that fixes the pkey eq problems. There are plenty of other bug fixes.

[paulidale]

Yeah, I pushed the authorship change to the wrong repo. FFS.
Fixed now I hope.

[paulidale]

I'll be diverting from the two remaining fixes (EC explicit curve related I suspect) to working on adding the additional required tests tomorrow.

[slontis]

Do you mean the CI workflow?

[paulidale]

Yes, we need additional CI workflows to validate future fixes.

[paulidale]

Merged to master and 3.0. 3.0 required dropping the KDF_CTX_dup part of evptest but was otherwise clean enough.