Fix test_provider.rb in FIPS.

Author: junaruga

Rakefile

@@ -33,6 +33,7 @@ Rake::TestTask.new(:test_fips_internal) do |t|
     'test/openssl/test_pkey_dsa.rb',
     'test/openssl/test_pkey_ec.rb',
     'test/openssl/test_pkey_rsa.rb',
+    'test/openssl/test_provider.rb',
   ]
   t.warning = true
 end

test/openssl/test_provider.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 require_relative 'utils'
-if defined?(OpenSSL) && defined?(OpenSSL::Provider) && !OpenSSL.fips_mode
+if defined?(OpenSSL) && defined?(OpenSSL::Provider)
 
 class OpenSSL::TestProvider < OpenSSL::TestCase
   def test_openssl_provider_name_inspect
@@ -12,14 +12,41 @@ def test_openssl_provider_name_inspect
   end
 
   def test_openssl_provider_names
+    # We expect the following providers are loaded in the cases:
+    # * Non-FIPS: default
+    # * FIPS: fips, base
+    # Use the null provider to test the added provider.
+    # See provider(7) - OPENSSL PROVIDERS to see the list of providers, and
+    # OSSL_PROVIDER-null(7) to check the details of the null provider.
     with_openssl <<-'end;'
-      base_provider = OpenSSL::Provider.load("base")
-      assert_equal(2, OpenSSL::Provider.provider_names.size)
-      assert_includes(OpenSSL::Provider.provider_names, "base")
+      num = OpenSSL::Provider.provider_names.size
 
-      assert_equal(true, base_provider.unload)
-      assert_equal(1, OpenSSL::Provider.provider_names.size)
-      assert_not_includes(OpenSSL::Provider.provider_names, "base")
+      added_provider = OpenSSL::Provider.load("null")
+      assert_equal(num + 1, OpenSSL::Provider.provider_names.size)
+      assert_includes(OpenSSL::Provider.provider_names, "null")
+
+      assert_equal(true, added_provider.unload)
+      assert_equal(num, OpenSSL::Provider.provider_names.size)
+      assert_not_includes(OpenSSL::Provider.provider_names, "null")
+    end;
+  end
+
+  # Test providers to run OpenSSL FIPS perperly in OpenSSL 3.x.
+  # The `OpenSSL.fips_mode` calling the EVP_default_properties_is_fips_enabled
+  # only indicates if fips=yes is a default property. It doesn't check the
+  # providers.
+  # See EVP_default_properties_is_fips_enabled(3) for details.
+  def test_openssl_provider_names_on_fips
+    omit "Only for FIPS" unless OpenSSL.fips_mode
+
+    # The number of providers is at least 2 in FIPS: the fips provider for the
+    # key management, and another provider base or default for the
+    # encoding/decoding.
+    # See fips_module(7) - "Making all applications use the FIPS module by
+    # default" for details.
+    with_openssl(<<-'end;')
+      assert_compare(2, "<=", OpenSSL::Provider.provider_names.size)
+      assert_include(OpenSSL::Provider.provider_names, "fips")
     end;
   end
 
@@ -33,6 +60,9 @@ def test_unloaded_openssl_provider
   end
 
   def test_openssl_legacy_provider
+    # The legacy provider is not supported on FIPS.
+    omit_on_fips
+
     with_openssl(<<-'end;')
       begin
         OpenSSL::Provider.load("legacy")