1 files changed, 29 insertions, 28 deletions
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index 4ebcb9837b..f6c84eef67 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -1,38 +1,13 @@
 # frozen_string_literal: true
 begin
   require "openssl"
-
-  # Disable FIPS mode for tests for installations
-  # where FIPS mode would be enabled by default.
-  # Has no effect on all other installations.
-  OpenSSL.fips_mode=false
 rescue LoadError
 end
 
-# Compile OpenSSL with crypto-mdebug and run this test suite with OSSL_MDEBUG=1
-# environment variable to enable memory leak check.
-if ENV["OSSL_MDEBUG"] == "1"
-  if OpenSSL.respond_to?(:print_mem_leaks)
-    OpenSSL.mem_check_start
-
-    END {
-      GC.start
-      case OpenSSL.print_mem_leaks
-      when nil
-        warn "mdebug: check what is printed"
-      when true
-        raise "mdebug: memory leaks detected"
-      end
-    }
-  else
-    warn "OSSL_MDEBUG=1 is specified but OpenSSL is not built with crypto-mdebug"
-  end
-end
-
 require "test/unit"
+require "core_assertions"
 require "tempfile"
 require "socket"
-require "envutil"
 
 if defined?(OpenSSL)
 
@@ -131,11 +106,12 @@ module OpenSSL::TestUtils
     end
   end
 
-  def openssl?(major = nil, minor = nil, fix = nil, patch = 0)
+  def openssl?(major = nil, minor = nil, fix = nil, patch = 0, status = 0)
     return false if OpenSSL::OPENSSL_VERSION.include?("LibreSSL")
     return true unless major
     OpenSSL::OPENSSL_VERSION_NUMBER >=
-      major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10
+      major * 0x10000000 + minor * 0x100000 + fix * 0x1000 + patch * 0x10 +
+      status * 0x1
   end
 
   def libressl?(major = nil, minor = nil, fix = nil)
@@ -148,6 +124,7 @@ end
 class OpenSSL::TestCase < Test::Unit::TestCase
   include OpenSSL::TestUtils
   extend OpenSSL::TestUtils
+  include Test::Unit::CoreAssertions
 
   def setup
     if ENV["OSSL_GC_STRESS"] == "1"
@@ -162,6 +139,30 @@ class OpenSSL::TestCase < Test::Unit::TestCase
     # OpenSSL error stack must be empty
     assert_equal([], OpenSSL.errors)
   end
+
+  # Omit the tests in FIPS.
+  #
+  # For example, the password based encryption used in the PEM format uses MD5
+  # for deriving the encryption key from the password, and MD5 is not
+  # FIPS-approved.
+  #
+  # See https://github.com/openssl/openssl/discussions/21830#discussioncomment-6865636
+  # for details.
+  def omit_on_fips
+    return unless OpenSSL.fips_mode
+
+    omit <<~MESSAGE
+      Only for OpenSSL non-FIPS with the following possible reasons:
+      * A testing logic is non-FIPS specific.
+      * An encryption used in the test is not FIPS-approved.
+    MESSAGE
+  end
+
+  def omit_on_non_fips
+    return if OpenSSL.fips_mode
+
+    omit "Only for OpenSSL FIPS"
+  end
 end
 
 class OpenSSL::SSLTestCase < OpenSSL::TestCase