use platform;
my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+my $no_check = disabled('fips-securitychecks');
plan tests =>
- ($no_fips ? 0 : 1) # FIPS install test
+ ($no_fips ? 0 : 1 + ($no_check ? 0 : 1)) # FIPS install test
+ 9;
my @prov = ( );
-my $provconf = srctop_file("test", "fips.cnf");
+my $provconf = srctop_file("test", "fips-and-base.cnf");
my $provpath = bldtop_dir("providers");
my $msg_file = data_file("plain_text");
my $enc1_file = "enc1.bin";
my $dec1_file = "dec1.txt";
my $dec2_file = "dec2.txt";
my $dec3_file = "dec3.txt";
-my $key_file = srctop_file("test", "testrsa.pem");
+my $key_file = srctop_file("test", "testrsa2048.pem");
+my $small_key_file = srctop_file("test", "testrsa.pem");
unless ($no_fips) {
- @prov = ( "-provider_path", $provpath, "-config", $provconf );
+ @prov = ( "-provider-path", $provpath, "-config", $provconf );
my $infile = bldtop_file('providers', platform->dso('fips'));
ok(run(app(['openssl', 'fipsinstall',
'-module', $infile])),
"fipsinstall");
$ENV{OPENSSL_TEST_LIBCTX} = "1";
+
+ unless ($no_check) {
+ ok(!run(app(['openssl', 'pkeyutl',
+ @prov,
+ '-encrypt',
+ '-in', $msg_file,
+ '-inkey', $small_key_file,
+ '-pkeyopt', 'pad-mode:oaep',
+ '-pkeyopt', 'oaep-label:123',
+ '-pkeyopt', 'digest:sha1',
+ '-pkeyopt', 'mgf1-digest:sha1',
+ '-out', $enc1_file])),
+ "RSA OAEP Encryption with a key smaller than 2048 in fips mode should fail");
+ }
}
ok(run(app(['openssl', 'pkeyutl',