Fix tests against OpenSSL 3.0

- Resolves: rhbz#1964838

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>

softhsm-openssl3-tests.patch

@@ -0,0 +1,688 @@
+From dac3ac92ade67612657120335934d784edf49dbb Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 26 May 2021 20:03:25 +0300
+Subject: [PATCH 1/3] openssl 3.0: Run DES tests only if OpenSSL allows it
+
+OpenSSL 3.0 moves DES into a legacy provider which has to be loaded
+explicitly. By default, it will not be loaded and DES methods in tests
+will fail. Nest test blocks under successful initialization.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/lib/crypto/test/DESTests.cpp | 350 ++++++++++++++++---------------
+ 1 file changed, 182 insertions(+), 168 deletions(-)
+
+diff --git a/src/lib/crypto/test/DESTests.cpp b/src/lib/crypto/test/DESTests.cpp
+index bcb1c6b..aa68746 100644
+--- a/src/lib/crypto/test/DESTests.cpp
++++ b/src/lib/crypto/test/DESTests.cpp
+@@ -259,54 +259,58 @@ void DESTests::testCBC()
+ 
+ 			// Now, do the same thing using our DES implementation
+ 			shsmCipherText.wipe();
+-			CPPUNIT_ASSERT(des->encryptInit(&desKey56, SymMode::CBC, IV));
++			if (des->encryptInit(&desKey56, SymMode::CBC, IV)) {
+ 
+-			CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(des->encryptFinal(OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptFinal(OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmCipherText == cipherText);
++				CPPUNIT_ASSERT(shsmCipherText == cipherText);
+ 
+-			// Check that we can get the plain text
+-			shsmPlainText.wipe();
+-			CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::CBC, IV));
++				// Check that we can get the plain text
++				shsmPlainText.wipe();
++				CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::CBC, IV));
+ 
+-			CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(des->decryptFinal(OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptFinal(OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmPlainText == plainText);
++				CPPUNIT_ASSERT(shsmPlainText == plainText);
++
++			}
+ 
+ 			// Test 112-bit key
+ 			cipherText = ByteString(testResult[i][j][1]);
+ 
+ 			// Now, do the same thing using our DES implementation
+ 			shsmCipherText.wipe();
+-			CPPUNIT_ASSERT(des->encryptInit(&desKey112, SymMode::CBC, IV));
++			if (des->encryptInit(&desKey112, SymMode::CBC, IV)) {
+ 
+-			CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(des->encryptFinal(OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptFinal(OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmCipherText == cipherText);
++				CPPUNIT_ASSERT(shsmCipherText == cipherText);
+ 
+-			// Check that we can get the plain text
+-			shsmPlainText.wipe();
+-			CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::CBC, IV));
++				// Check that we can get the plain text
++				shsmPlainText.wipe();
++				CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::CBC, IV));
+ 
+-			CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(des->decryptFinal(OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptFinal(OB));
++				shsmPlainText += OB;
++
++				CPPUNIT_ASSERT(shsmPlainText == plainText);
++			}
+ 
+-			CPPUNIT_ASSERT(shsmPlainText == plainText);
+ #endif
+ 
+ 			// Test 168-bit key
+@@ -314,27 +318,28 @@ void DESTests::testCBC()
+ 
+ 			// Now, do the same thing using our DES implementation
+ 			shsmCipherText.wipe();
+-			CPPUNIT_ASSERT(des->encryptInit(&desKey168, SymMode::CBC, IV));
++			if (des->encryptInit(&desKey168, SymMode::CBC, IV)) {
+ 
+-			CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(des->encryptFinal(OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptFinal(OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmCipherText == cipherText);
++				CPPUNIT_ASSERT(shsmCipherText == cipherText);
+ 
+-			// Check that we can get the plain text
+-			shsmPlainText.wipe();
+-			CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::CBC, IV));
++				// Check that we can get the plain text
++				shsmPlainText.wipe();
++				CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::CBC, IV));
+ 
+-			CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(des->decryptFinal(OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptFinal(OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmPlainText == plainText);
++				CPPUNIT_ASSERT(shsmPlainText == plainText);
++			}
+ 		}
+ 	}
+ }
+@@ -534,54 +539,56 @@ void DESTests::testECB()
+ 
+ 			// Now, do the same thing using our DES implementation
+ 			shsmCipherText.wipe();
+-			CPPUNIT_ASSERT(des->encryptInit(&desKey56, SymMode::ECB, IV));
++			if (des->encryptInit(&desKey56, SymMode::ECB, IV)) {
+ 
+-			CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(des->encryptFinal(OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptFinal(OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmCipherText == cipherText);
++				CPPUNIT_ASSERT(shsmCipherText == cipherText);
+ 
+-			// Check that we can get the plain text
+-			shsmPlainText.wipe();
+-			CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::ECB, IV));
++				// Check that we can get the plain text
++				shsmPlainText.wipe();
++				CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::ECB, IV));
+ 
+-			CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(des->decryptFinal(OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptFinal(OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmPlainText == plainText);
++				CPPUNIT_ASSERT(shsmPlainText == plainText);
++			}
+ 
+ 			// Test 112-bit key
+ 			cipherText = ByteString(testResult[i][j][1]);
+ 
+ 			// Now, do the same thing using our DES implementation
+ 			shsmCipherText.wipe();
+-			CPPUNIT_ASSERT(des->encryptInit(&desKey112, SymMode::ECB, IV));
++			if (des->encryptInit(&desKey112, SymMode::ECB, IV)) {
+ 
+-			CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(des->encryptFinal(OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptFinal(OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmCipherText == cipherText);
++				CPPUNIT_ASSERT(shsmCipherText == cipherText);
+ 
+-			// Check that we can get the plain text
+-			shsmPlainText.wipe();
+-			CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::ECB, IV));
++				// Check that we can get the plain text
++				shsmPlainText.wipe();
++				CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::ECB, IV));
+ 
+-			CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(des->decryptFinal(OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptFinal(OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmPlainText == plainText);
++				CPPUNIT_ASSERT(shsmPlainText == plainText);
++			}
+ #endif
+ 
+ 			// Test 168-bit key
+@@ -589,27 +596,28 @@ void DESTests::testECB()
+ 
+ 			// Now, do the same thing using our DES implementation
+ 			shsmCipherText.wipe();
+-			CPPUNIT_ASSERT(des->encryptInit(&desKey168, SymMode::ECB, IV));
++			if (des->encryptInit(&desKey168, SymMode::ECB, IV)) {
+ 
+-			CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(des->encryptFinal(OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptFinal(OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmCipherText == cipherText);
++				CPPUNIT_ASSERT(shsmCipherText == cipherText);
+ 
+-			// Check that we can get the plain text
+-			shsmPlainText.wipe();
+-			CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::ECB, IV));
++				// Check that we can get the plain text
++				shsmPlainText.wipe();
++				CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::ECB, IV));
+ 
+-			CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(des->decryptFinal(OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptFinal(OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmPlainText == plainText);
++				CPPUNIT_ASSERT(shsmPlainText == plainText);
++			}
+ 		}
+ 	}
+ }
+@@ -809,54 +817,56 @@ void DESTests::testOFB()
+ 
+ 			// Now, do the same thing using our DES implementation
+ 			shsmCipherText.wipe();
+-			CPPUNIT_ASSERT(des->encryptInit(&desKey56, SymMode::OFB, IV));
++			if (des->encryptInit(&desKey56, SymMode::OFB, IV)) {
+ 
+-			CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(des->encryptFinal(OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptFinal(OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmCipherText == cipherText);
++				CPPUNIT_ASSERT(shsmCipherText == cipherText);
+ 
+-			// Check that we can get the plain text
+-			shsmPlainText.wipe();
+-			CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::OFB, IV));
++				// Check that we can get the plain text
++				shsmPlainText.wipe();
++				CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::OFB, IV));
+ 
+-			CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(des->decryptFinal(OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptFinal(OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmPlainText == plainText);
++				CPPUNIT_ASSERT(shsmPlainText == plainText);
++			}
+ 
+ 			// Test 112-bit key
+ 			cipherText = ByteString(testResult[i][j][1]);
+ 
+ 			// Now, do the same thing using our DES implementation
+ 			shsmCipherText.wipe();
+-			CPPUNIT_ASSERT(des->encryptInit(&desKey112, SymMode::OFB, IV));
++			if (des->encryptInit(&desKey112, SymMode::OFB, IV)) {
+ 
+-			CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(des->encryptFinal(OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptFinal(OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmCipherText == cipherText);
++				CPPUNIT_ASSERT(shsmCipherText == cipherText);
+ 
+-			// Check that we can get the plain text
+-			shsmPlainText.wipe();
+-			CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::OFB, IV));
++				// Check that we can get the plain text
++				shsmPlainText.wipe();
++				CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::OFB, IV));
+ 
+-			CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(des->decryptFinal(OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptFinal(OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmPlainText == plainText);
++				CPPUNIT_ASSERT(shsmPlainText == plainText);
++			}
+ #endif
+ 
+ 			// Test 168-bit key
+@@ -864,27 +874,28 @@ void DESTests::testOFB()
+ 
+ 			// Now, do the same thing using our DES implementation
+ 			shsmCipherText.wipe();
+-			CPPUNIT_ASSERT(des->encryptInit(&desKey168, SymMode::OFB, IV));
++			if (des->encryptInit(&desKey168, SymMode::OFB, IV)) {
+ 
+-			CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(des->encryptFinal(OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptFinal(OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmCipherText == cipherText);
++				CPPUNIT_ASSERT(shsmCipherText == cipherText);
+ 
+-			// Check that we can get the plain text
+-			shsmPlainText.wipe();
+-			CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::OFB, IV));
++				// Check that we can get the plain text
++				shsmPlainText.wipe();
++				CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::OFB, IV));
+ 
+-			CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(des->decryptFinal(OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptFinal(OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmPlainText == plainText);
++				CPPUNIT_ASSERT(shsmPlainText == plainText);
++			}
+ 		}
+ 	}
+ }
+@@ -1083,54 +1094,56 @@ void DESTests::testCFB()
+ 
+ 			// Now, do the same thing using our DES implementation
+ 			shsmCipherText.wipe();
+-			CPPUNIT_ASSERT(des->encryptInit(&desKey56, SymMode::CFB, IV));
++			if (des->encryptInit(&desKey56, SymMode::CFB, IV)) {
+ 
+-			CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(des->encryptFinal(OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptFinal(OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmCipherText == cipherText);
++				CPPUNIT_ASSERT(shsmCipherText == cipherText);
+ 
+-			// Check that we can get the plain text
+-			shsmPlainText.wipe();
+-			CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::CFB, IV));
++				// Check that we can get the plain text
++				shsmPlainText.wipe();
++				CPPUNIT_ASSERT(des->decryptInit(&desKey56, SymMode::CFB, IV));
+ 
+-			CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(des->decryptFinal(OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptFinal(OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmPlainText == plainText);
++				CPPUNIT_ASSERT(shsmPlainText == plainText);
++			}
+ 
+ 			// Test 112-bit key
+ 			cipherText = ByteString(testResult[i][j][1]);
+ 
+ 			// Now, do the same thing using our DES implementation
+ 			shsmCipherText.wipe();
+-			CPPUNIT_ASSERT(des->encryptInit(&desKey112, SymMode::CFB, IV));
++			if (des->encryptInit(&desKey112, SymMode::CFB, IV)) {
+ 
+-			CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(des->encryptFinal(OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptFinal(OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmCipherText == cipherText);
++				CPPUNIT_ASSERT(shsmCipherText == cipherText);
+ 
+-			// Check that we can get the plain text
+-			shsmPlainText.wipe();
+-			CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::CFB, IV));
++				// Check that we can get the plain text
++				shsmPlainText.wipe();
++				CPPUNIT_ASSERT(des->decryptInit(&desKey112, SymMode::CFB, IV));
+ 
+-			CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(des->decryptFinal(OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptFinal(OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmPlainText == plainText);
++				CPPUNIT_ASSERT(shsmPlainText == plainText);
++			}
+ #endif
+ 
+ 			// Test 168-bit key
+@@ -1138,27 +1151,28 @@ void DESTests::testCFB()
+ 
+ 			// Now, do the same thing using our DES implementation
+ 			shsmCipherText.wipe();
+-			CPPUNIT_ASSERT(des->encryptInit(&desKey168, SymMode::CFB, IV));
++			if (des->encryptInit(&desKey168, SymMode::CFB, IV)) {
+ 
+-			CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptUpdate(plainText, OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(des->encryptFinal(OB));
+-			shsmCipherText += OB;
++				CPPUNIT_ASSERT(des->encryptFinal(OB));
++				shsmCipherText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmCipherText == cipherText);
++				CPPUNIT_ASSERT(shsmCipherText == cipherText);
+ 
+-			// Check that we can get the plain text
+-			shsmPlainText.wipe();
+-			CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::CFB, IV));
++				// Check that we can get the plain text
++				shsmPlainText.wipe();
++				CPPUNIT_ASSERT(des->decryptInit(&desKey168, SymMode::CFB, IV));
+ 
+-			CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptUpdate(shsmCipherText, OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(des->decryptFinal(OB));
+-			shsmPlainText += OB;
++				CPPUNIT_ASSERT(des->decryptFinal(OB));
++				shsmPlainText += OB;
+ 
+-			CPPUNIT_ASSERT(shsmPlainText == plainText);
++				CPPUNIT_ASSERT(shsmPlainText == plainText);
++			}
+ 		}
+ 	}
+ }
+-- 
+2.31.1
+
+
+From d8d38bd2e9b24f200c96682d1bd0967444f064ed Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 26 May 2021 20:09:31 +0300
+Subject: [PATCH 2/3] openssl 3.0: use 2048 instead of 1024 bit for RSA tests
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/lib/crypto/test/RSATests.cpp | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/src/lib/crypto/test/RSATests.cpp b/src/lib/crypto/test/RSATests.cpp
+index 6af1e19..e583b8b 100644
+--- a/src/lib/crypto/test/RSATests.cpp
++++ b/src/lib/crypto/test/RSATests.cpp
+@@ -78,7 +78,6 @@ void RSATests::testKeyGeneration()
+ 
+ 	// Key sizes to test
+ 	std::vector<size_t> keySizes;
+-	keySizes.push_back(1024);
+ #ifndef WITH_FIPS
+ 	keySizes.push_back(1025);
+ #endif
+@@ -111,12 +110,12 @@ void RSATests::testKeyGeneration()
+ 
+ void RSATests::testSerialisation()
+ {
+-	// Generate a 1024-bit key-pair for testing
++	// Generate a 2048-bit key-pair for testing
+ 	AsymmetricKeyPair* kp;
+ 	RSAParameters p;
+ 
+ 	p.setE("010001");
+-	p.setBitLength(1024);
++	p.setBitLength(2048);
+ 
+ 	CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p));
+ 	CPPUNIT_ASSERT(kp != NULL);
+@@ -204,12 +203,12 @@ void RSATests::testSerialisation()
+ 
+ void RSATests::testPKCS8()
+ {
+-	// Generate a 1024-bit key-pair for testing
++	// Generate a 2048-bit key-pair for testing
+ 	AsymmetricKeyPair* kp;
+ 	RSAParameters p;
+ 
+ 	p.setE("010001");
+-	p.setBitLength(1024);
++	p.setBitLength(2048);
+ 
+ 	CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p));
+ 	CPPUNIT_ASSERT(kp != NULL);
+@@ -253,7 +252,6 @@ void RSATests::testSigningVerifying()
+ 
+ 	// Key sizes to test
+ 	std::vector<size_t> keySizes;
+-	keySizes.push_back(1024);
+ 	keySizes.push_back(1280);
+ 	keySizes.push_back(2048);
+ 	//keySizes.push_back(4096);
+@@ -611,7 +609,6 @@ void RSATests::testEncryptDecrypt()
+ 
+ 	// Key sizes to test
+ 	std::vector<size_t> keySizes;
+-	keySizes.push_back(1024);
+ 	keySizes.push_back(1280);
+ 	keySizes.push_back(2048);
+ 	//keySizes.push_back(4096);
+-- 
+2.31.1
+
+
+From 6a35c45aeae805b238cb18652a78419b1e43ad5c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 26 May 2021 22:29:22 +0300
+Subject: [PATCH 3/3] openssl 3.0: Skip tests with unsupported key sizes
+
+OpenSSL 3.0 on systems with systemd-wide crypto policy (Fedora, RHEL,
+CentOS 9 Stream) might block certain key sizes which causes the tests to
+fail. Skip these tests because we are not going to get the results
+anyway.
+
+There is no way with CPPUNIT to produce a warning only, so we have to
+skip the whole test result.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/lib/crypto/test/RSATests.cpp | 31 ++++++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/src/lib/crypto/test/RSATests.cpp b/src/lib/crypto/test/RSATests.cpp
+index e583b8b..3b397d2 100644
+--- a/src/lib/crypto/test/RSATests.cpp
++++ b/src/lib/crypto/test/RSATests.cpp
+@@ -92,18 +92,19 @@ void RSATests::testKeyGeneration()
+ 			p.setE(*e);
+ 			p.setBitLength(*k);
+ 
+-			// Generate key-pair
+-			CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p));
++			// Generate key-pair but skip test if key size is unsupported in OpenSSL 3.0.0
++			if (rsa->generateKeyPair(&kp, &p)) {
+ 
+-			RSAPublicKey* pub = (RSAPublicKey*) kp->getPublicKey();
+-			RSAPrivateKey* priv = (RSAPrivateKey*) kp->getPrivateKey();
++				RSAPublicKey* pub = (RSAPublicKey*) kp->getPublicKey();
++				RSAPrivateKey* priv = (RSAPrivateKey*) kp->getPrivateKey();
+ 
+-			CPPUNIT_ASSERT(pub->getBitLength() == *k);
+-			CPPUNIT_ASSERT(priv->getBitLength() == *k);
+-			CPPUNIT_ASSERT(pub->getE() == *e);
+-			CPPUNIT_ASSERT(priv->getE() == *e);
++				CPPUNIT_ASSERT(pub->getBitLength() == *k);
++				CPPUNIT_ASSERT(priv->getBitLength() == *k);
++				CPPUNIT_ASSERT(pub->getE() == *e);
++				CPPUNIT_ASSERT(priv->getE() == *e);
+ 
+-			rsa->recycleKeyPair(kp);
++				rsa->recycleKeyPair(kp);
++			}
+ 		}
+ 	}
+ }
+@@ -291,8 +292,10 @@ void RSATests::testSigningVerifying()
+ 			p.setE(*e);
+ 			p.setBitLength(*k);
+ 
+-			// Generate key-pair
+-			CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p));
++			// Generate key-pair but skip those that unsupported in OpenSSL 3.0.0
++			if (!rsa->generateKeyPair(&kp, &p)) {
++				continue;
++			}
+ 
+ 			// Generate some data to sign
+ 			ByteString dataToSign;
+@@ -626,8 +629,10 @@ void RSATests::testEncryptDecrypt()
+ 			p.setE(*e);
+ 			p.setBitLength(*k);
+ 
+-			// Generate key-pair
+-			CPPUNIT_ASSERT(rsa->generateKeyPair(&kp, &p));
++			// Generate key-pair but skip those that unsupported in OpenSSL 3.0.0
++			if (!rsa->generateKeyPair(&kp, &p)) {
++				continue;
++			}
+ 
+ 			RNG* rng = CryptoFactory::i()->getRNG();
+ 
+-- 
+2.31.1
+

softhsm.spec

@@ -4,13 +4,14 @@
 Summary: Software version of a PKCS#11 Hardware Security Module
 Name: softhsm
 Version: 2.6.1
-Release: %{?prever:0.}5%{?prever:.%{prever}}%{?dist}.2
+Release: %{?prever:0.}6%{?prever:.%{prever}}%{?dist}
 License: BSD
 Url: http://www.opendnssec.org/
 Source: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz
 Source1: http://dist.opendnssec.org/source/%{?prever:testing/}%{name}-%{version}.tar.gz.sig
 
 Patch1: softhsm-2.6.1-rh1831086-exit.patch
+Patch2: softhsm-openssl3-tests.patch
 
 BuildRequires: make
 BuildRequires: openssl-devel >= 1.0.1k-6, sqlite-devel >= 3.4.2, cppunit-devel
@@ -43,6 +44,7 @@ The devel package contains the libsofthsm include files
 %prep
 %setup -q -n %{name}-%{version}%{?prever}
 %patch1 -p1
+%patch2 -p1
 
 %if 0%{?prever:1} || 0%{?prerelease:1}
    # pre-release or post-release snapshots fixup
@@ -116,6 +118,10 @@ if [ -f /var/softhsm/slot0.db ]; then
 fi
 
 %changelog
+* Thu May 27 2021 Alexander Bokovoy <abokovoy@redhat.com> - 2.6.1-6
+- Fix tests against OpenSSL 3.0
+- Resolves: rhbz#1964838
+
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.6.1-5.2
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937