]>
Commit | Line | Data |
---|---|---|
95214b43 | 1 | #! /usr/bin/env perl |
da1c088f | 2 | # Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. |
95214b43 SL |
3 | # |
4 | # Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
10 | use warnings; | |
11 | ||
e25b4db7 | 12 | use File::Spec::Functions qw(:DEFAULT abs2rel); |
95214b43 SL |
13 | use File::Copy; |
14 | use OpenSSL::Glob; | |
9f7bdcf3 | 15 | use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/; |
95214b43 SL |
16 | use OpenSSL::Test::Utils; |
17 | ||
18 | BEGIN { | |
19 | setup("test_fipsinstall"); | |
20 | } | |
21 | use lib srctop_dir('Configurations'); | |
22 | use lib bldtop_dir('.'); | |
23 | use platform; | |
24 | ||
25 | plan skip_all => "Test only supported in a fips build" if disabled("fips"); | |
26 | ||
c8093347 P |
27 | # Compatible options for pedantic FIPS compliance |
28 | my @pedantic_okay = | |
29 | ( 'ems_check', 'no_drbg_truncated_digests', 'self_test_onload' ); | |
30 | ||
31 | # Incompatible options for pedantic FIPS compliance | |
32 | my @pedantic_fail = | |
33 | ( 'no_conditional_errors', 'no_security_checks', 'self_test_oninstall' ); | |
34 | ||
35 | plan tests => 35 + (scalar @pedantic_okay) + (scalar @pedantic_fail); | |
95214b43 SL |
36 | |
37 | my $infile = bldtop_file('providers', platform->dso('fips')); | |
ffc22e03 | 38 | my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00'; |
6e38ac39 | 39 | my $provconf = srctop_file("test", "fips-and-base.cnf"); |
95214b43 | 40 | |
9f7bdcf3 SL |
41 | # Read in a text $infile and replace the regular expression in $srch with the |
42 | # value in $repl and output to a new file $outfile. | |
43 | sub replace_line_file_internal { | |
44 | ||
45 | my ($infile, $srch, $repl, $outfile) = @_; | |
46 | my $msg; | |
47 | ||
48 | open(my $in, "<", $infile) or return 0; | |
49 | read($in, $msg, 1024); | |
50 | close $in; | |
51 | ||
52 | $msg =~ s/$srch/$repl/; | |
53 | ||
54 | open(my $fh, ">", $outfile) or return 0; | |
55 | print $fh $msg; | |
56 | close $fh; | |
57 | return 1; | |
58 | } | |
59 | ||
60 | # Read in the text input file 'fips.cnf' | |
61 | # and replace a single Key = Value line with a new value in $value. | |
62 | # OR remove the Key = Value line if the passed in $value is empty. | |
63 | # and then output a new file $outfile. | |
64 | # $key is the Key to find | |
65 | sub replace_line_file { | |
66 | my ($key, $value, $outfile) = @_; | |
67 | ||
68 | my $srch = qr/$key\s*=\s*\S*\n/; | |
69 | my $rep; | |
70 | if ($value eq "") { | |
71 | $rep = ""; | |
72 | } else { | |
73 | $rep = "$key = $value\n"; | |
74 | } | |
75 | return replace_line_file_internal('fips.cnf', $srch, $rep, $outfile); | |
76 | } | |
77 | ||
78 | # Read in the text input file 'test/fips.cnf' | |
79 | # and replace the .cnf file used in | |
80 | # .include fipsmodule.cnf with a new value in $value. | |
81 | # and then output a new file $outfile. | |
82 | # $key is the Key to find | |
83 | sub replace_parent_line_file { | |
84 | my ($value, $outfile) = @_; | |
85 | my $srch = qr/fipsmodule.cnf/; | |
86 | my $rep = "$value"; | |
87 | return replace_line_file_internal(srctop_file("test", 'fips.cnf'), | |
88 | $srch, $rep, $outfile); | |
89 | } | |
90 | ||
78bcbc1e P |
91 | # Check if the specified pattern occurs in the given file |
92 | # Returns 1 if the pattern is found and 0 if not | |
93 | sub find_line_file { | |
94 | my ($key, $file) = @_; | |
95 | ||
96 | open(my $in, $file) or return -1; | |
97 | while (my $line = <$in>) { | |
98 | if ($line =~ /$key/) { | |
99 | close($in); | |
100 | return 1; | |
101 | } | |
102 | } | |
103 | close($in); | |
104 | return 0; | |
105 | } | |
106 | ||
be3acd79 | 107 | # fail if no module name |
433deaff | 108 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', |
95214b43 | 109 | '-provider_name', 'fips', |
31214258 | 110 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 111 | '-section_name', 'fips_sect'])), |
be3acd79 | 112 | "fipsinstall fail"); |
95214b43 | 113 | |
be3acd79 | 114 | # fail to verify if the configuration file is missing |
95214b43 SL |
115 | ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile, |
116 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
31214258 | 117 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 118 | '-section_name', 'fips_sect', '-verify'])), |
be3acd79 | 119 | "fipsinstall verify fail"); |
95214b43 SL |
120 | |
121 | ||
433deaff RS |
122 | # output a fips.cnf file containing mac data |
123 | ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, | |
95214b43 | 124 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 125 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 126 | '-section_name', 'fips_sect'])), |
be3acd79 | 127 | "fipsinstall"); |
95214b43 | 128 | |
433deaff RS |
129 | # verify the fips.cnf file |
130 | ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, | |
95214b43 | 131 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 132 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 133 | '-section_name', 'fips_sect', '-verify'])), |
be3acd79 | 134 | "fipsinstall verify"); |
95214b43 | 135 | |
9f7bdcf3 SL |
136 | ok(replace_line_file('module-mac', '', 'fips_no_module_mac.cnf') |
137 | && !run(app(['openssl', 'fipsinstall', | |
138 | '-in', 'fips_no_module_mac.cnf', | |
139 | '-module', $infile, | |
140 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
141 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", | |
142 | '-section_name', 'fips_sect', '-verify'])), | |
143 | "fipsinstall verify fail no module mac"); | |
144 | ||
145 | ok(replace_line_file('install-mac', '', 'fips_no_install_mac.cnf') | |
146 | && !run(app(['openssl', 'fipsinstall', | |
147 | '-in', 'fips_no_install_mac.cnf', | |
148 | '-module', $infile, | |
149 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
150 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", | |
151 | '-section_name', 'fips_sect', '-verify'])), | |
152 | "fipsinstall verify fail no install indicator mac"); | |
153 | ||
154 | ok(replace_line_file('module-mac', '00:00:00:00:00:00', | |
155 | 'fips_bad_module_mac.cnf') | |
156 | && !run(app(['openssl', 'fipsinstall', | |
157 | '-in', 'fips_bad_module_mac.cnf', | |
158 | '-module', $infile, | |
159 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
160 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", | |
161 | '-section_name', 'fips_sect', '-verify'])), | |
162 | "fipsinstall verify fail if invalid module integrity value"); | |
163 | ||
164 | ok(replace_line_file('install-mac', '00:00:00:00:00:00', | |
165 | 'fips_bad_install_mac.cnf') | |
166 | && !run(app(['openssl', 'fipsinstall', | |
167 | '-in', 'fips_bad_install_mac.cnf', | |
168 | '-module', $infile, | |
169 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
170 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", | |
171 | '-section_name', 'fips_sect', '-verify'])), | |
172 | "fipsinstall verify fail if invalid install indicator integrity value"); | |
173 | ||
174 | ok(replace_line_file('install-status', 'INCORRECT_STATUS_STRING', | |
175 | 'fips_bad_indicator.cnf') | |
176 | && !run(app(['openssl', 'fipsinstall', | |
177 | '-in', 'fips_bad_indicator.cnf', | |
178 | '-module', $infile, | |
179 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
180 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", | |
181 | '-section_name', 'fips_sect', '-verify'])), | |
182 | "fipsinstall verify fail if invalid install indicator status"); | |
183 | ||
433deaff RS |
184 | # fail to verify the fips.cnf file if a different key is used |
185 | ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, | |
95214b43 | 186 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 187 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", |
9f7bdcf3 | 188 | '-section_name', 'fips_sect', '-verify'])), |
be3acd79 | 189 | "fipsinstall verify fail bad key"); |
95214b43 | 190 | |
433deaff RS |
191 | # fail to verify the fips.cnf file if a different mac digest is used |
192 | ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, | |
95214b43 | 193 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 194 | '-macopt', 'digest:SHA512', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 195 | '-section_name', 'fips_sect', '-verify'])), |
be3acd79 | 196 | "fipsinstall verify fail incorrect digest"); |
36fc5fc6 SL |
197 | |
198 | # corrupt the module hmac | |
433deaff | 199 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
36fc5fc6 | 200 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 201 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 202 | '-section_name', 'fips_sect', '-corrupt_desc', 'HMAC'])), |
36fc5fc6 SL |
203 | "fipsinstall fails when the module integrity is corrupted"); |
204 | ||
205 | # corrupt the first digest | |
9f7bdcf3 | 206 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile, |
36fc5fc6 | 207 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 208 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 209 | '-section_name', 'fips_sect', '-corrupt_desc', 'SHA1'])), |
36fc5fc6 SL |
210 | "fipsinstall fails when the digest result is corrupted"); |
211 | ||
212 | # corrupt another digest | |
9f7bdcf3 | 213 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile, |
36fc5fc6 | 214 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 215 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 216 | '-section_name', 'fips_sect', '-corrupt_desc', 'SHA3'])), |
36fc5fc6 | 217 | "fipsinstall fails when the digest result is corrupted"); |
980a880e | 218 | |
3fed2718 SL |
219 | # corrupt cipher encrypt test |
220 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile, | |
221 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
222 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", | |
3b1978e4 | 223 | '-section_name', 'fips_sect', '-corrupt_desc', 'AES_GCM'])), |
3fed2718 SL |
224 | "fipsinstall fails when the AES_GCM result is corrupted"); |
225 | ||
226 | # corrupt cipher decrypt test | |
227 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile, | |
228 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
229 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", | |
230 | '-section_name', 'fips_sect', '-corrupt_desc', 'AES_ECB_Decrypt'])), | |
231 | "fipsinstall fails when the AES_ECB result is corrupted"); | |
232 | ||
980a880e | 233 | # corrupt DRBG |
9f7bdcf3 | 234 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile, |
980a880e | 235 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 236 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 237 | '-section_name', 'fips_sect', '-corrupt_desc', 'CTR'])), |
980a880e | 238 | "fipsinstall fails when the DRBG CTR result is corrupted"); |
ec4d1b8f SL |
239 | |
240 | # corrupt a KAS test | |
a7a7643a MC |
241 | SKIP: { |
242 | skip "Skipping KAS DH corruption test because of no dh in this build", 1 | |
243 | if disabled("dh"); | |
244 | ||
97a8878c | 245 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
a7a7643a | 246 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 247 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 248 | '-section_name', 'fips_sect', |
a7a7643a MC |
249 | '-corrupt_desc', 'DH', |
250 | '-corrupt_type', 'KAT_KA'])), | |
251 | "fipsinstall fails when the kas result is corrupted"); | |
252 | } | |
ec4d1b8f | 253 | |
6e38ac39 | 254 | # corrupt a Signature test - 140-3 requires a known answer test |
9be92bec MC |
255 | SKIP: { |
256 | skip "Skipping Signature DSA corruption test because of no dsa in this build", 1 | |
257 | if disabled("dsa"); | |
6e38ac39 P |
258 | |
259 | run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), | |
260 | capture => 1, statusvar => \my $exit); | |
261 | skip "FIPS provider version is too old for KAT DSA signature test", 1 | |
262 | if !$exit; | |
263 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, | |
264 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
265 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", | |
7057dddb | 266 | '-section_name', 'fips_sect', '-self_test_oninstall', |
6e38ac39 P |
267 | '-corrupt_desc', 'DSA', |
268 | '-corrupt_type', 'KAT_Signature'])), | |
269 | "fipsinstall fails when the signature result is corrupted"); | |
270 | } | |
271 | ||
272 | # corrupt a Signature test - 140-2 allows a pairwise consistency test | |
273 | SKIP: { | |
274 | skip "Skipping Signature DSA corruption test because of no dsa in this build", 1 | |
275 | if disabled("dsa"); | |
276 | ||
277 | run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), | |
278 | capture => 1, statusvar => \my $exit); | |
cc910f1b | 279 | skip "FIPS provider version is too new for PCT DSA signature test", 1 |
6e38ac39 | 280 | if !$exit; |
97a8878c | 281 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
9be92bec | 282 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 283 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 284 | '-section_name', 'fips_sect', |
9be92bec | 285 | '-corrupt_desc', 'DSA', |
55950587 | 286 | '-corrupt_type', 'PCT_Signature'])), |
9be92bec MC |
287 | "fipsinstall fails when the signature result is corrupted"); |
288 | } | |
9f7bdcf3 | 289 | |
4343a418 SL |
290 | # corrupt an Asymmetric cipher test |
291 | SKIP: { | |
292 | skip "Skipping Asymmetric RSA corruption test because of no rsa in this build", 1 | |
293 | if disabled("rsa"); | |
294 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, | |
295 | '-corrupt_desc', 'RSA_Encrypt', | |
296 | '-corrupt_type', 'KAT_AsymmetricCipher'])), | |
297 | "fipsinstall fails when the asymmetric cipher result is corrupted"); | |
298 | } | |
299 | ||
e25b4db7 RL |
300 | # 'local' ensures that this change is only done in this file. |
301 | local $ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir()); | |
9f7bdcf3 SL |
302 | |
303 | ok(replace_parent_line_file('fips.cnf', 'fips_parent.cnf') | |
304 | && run(app(['openssl', 'fipsinstall', '-config', 'fips_parent.cnf'])), | |
305 | "verify fips provider loads from a configuration file"); | |
306 | ||
307 | ok(replace_parent_line_file('fips_no_module_mac.cnf', | |
308 | 'fips_parent_no_module_mac.cnf') | |
309 | && !run(app(['openssl', 'fipsinstall', | |
310 | '-config', 'fips_parent_no_module_mac.cnf'])), | |
311 | "verify load config fail no module mac"); | |
312 | ||
6e38ac39 P |
313 | SKIP: { |
314 | run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), | |
315 | capture => 1, statusvar => \my $exit); | |
316 | skip "FIPS provider version doesn't support self test indicator", 3 | |
317 | if !$exit; | |
318 | ||
319 | ok(replace_parent_line_file('fips_no_install_mac.cnf', | |
320 | 'fips_parent_no_install_mac.cnf') | |
321 | && !run(app(['openssl', 'fipsinstall', | |
322 | '-config', 'fips_parent_no_install_mac.cnf'])), | |
323 | "verify load config fail no install mac"); | |
324 | ||
325 | ok(replace_parent_line_file('fips_bad_indicator.cnf', | |
326 | 'fips_parent_bad_indicator.cnf') | |
327 | && !run(app(['openssl', 'fipsinstall', | |
328 | '-config', 'fips_parent_bad_indicator.cnf'])), | |
329 | "verify load config fail bad indicator"); | |
330 | ||
331 | ||
332 | ok(replace_parent_line_file('fips_bad_install_mac.cnf', | |
333 | 'fips_parent_bad_install_mac.cnf') | |
334 | && !run(app(['openssl', 'fipsinstall', | |
335 | '-config', 'fips_parent_bad_install_mac.cnf'])), | |
336 | "verify load config fail bad install mac"); | |
337 | } | |
9f7bdcf3 SL |
338 | |
339 | ok(replace_parent_line_file('fips_bad_module_mac.cnf', | |
340 | 'fips_parent_bad_module_mac.cnf') | |
341 | && !run(app(['openssl', 'fipsinstall', | |
342 | '-config', 'fips_parent_bad_module_mac.cnf'])), | |
343 | "verify load config fail bad module mac"); | |
2abffec0 | 344 | |
6e38ac39 P |
345 | SKIP: { |
346 | run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]), | |
347 | capture => 1, statusvar => \my $exit); | |
348 | skip "FIPS provider version doesn't support self test indicator", 3 | |
349 | if !$exit; | |
2abffec0 | 350 | |
6e38ac39 | 351 | my $stconf = "fipsmodule_selftest.cnf"; |
2abffec0 | 352 | |
6e38ac39 P |
353 | ok(run(app(['openssl', 'fipsinstall', '-out', $stconf, |
354 | '-module', $infile, '-self_test_onload'])), | |
355 | "fipsinstall config saved without self test indicator"); | |
2abffec0 | 356 | |
6e38ac39 P |
357 | ok(!run(app(['openssl', 'fipsinstall', '-in', $stconf, |
358 | '-module', $infile, '-verify'])), | |
359 | "fipsinstall config verify fails without self test indicator"); | |
2abffec0 | 360 | |
6e38ac39 P |
361 | ok(run(app(['openssl', 'fipsinstall', '-in', $stconf, |
362 | '-module', $infile, '-self_test_onload', '-verify'])), | |
363 | "fipsinstall config verify passes when self test indicator is not present"); | |
364 | } | |
7057dddb P |
365 | |
366 | SKIP: { | |
367 | run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), | |
368 | capture => 1, statusvar => \my $exit); | |
369 | skip "FIPS provider version can run self tests on install", 1 | |
370 | if !$exit; | |
371 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, | |
372 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
373 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", | |
50ea5cdc | 374 | '-section_name', 'fips_sect', '-self_test_oninstall', |
375 | '-ems_check'])), | |
7057dddb P |
376 | "fipsinstall fails when attempting to run self tests on install"); |
377 | } | |
78bcbc1e P |
378 | |
379 | ok(find_line_file('drbg-no-trunc-md = 0', 'fips.cnf') == 1, | |
380 | 'fipsinstall defaults to not banning truncated digests with DRBGs'); | |
381 | ||
382 | ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, | |
383 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
384 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", | |
385 | '-section_name', 'fips_sect', '-no_drbg_truncated_digests'])), | |
386 | "fipsinstall knows about allowing truncated digests in DRBGs"); | |
387 | ||
388 | ok(find_line_file('drbg-no-trunc-md = 1', 'fips.cnf') == 1, | |
389 | 'fipsinstall will allow option for truncated digests with DRBGs'); | |
390 | ||
c8093347 P |
391 | |
392 | ok(run(app(['openssl', 'fipsinstall', '-out', 'fips-pedantic.cnf', | |
393 | '-module', $infile, '-pedantic'])), | |
394 | "fipsinstall accepts -pedantic option"); | |
395 | ||
396 | foreach my $o (@pedantic_okay) { | |
397 | ok(run(app(['openssl', 'fipsinstall', '-out', "fips-${o}.cnf", | |
398 | '-module', $infile, '-pedantic', "-${o}"])), | |
399 | "fipsinstall accepts -${o} after -pedantic option"); | |
400 | } | |
401 | ||
402 | foreach my $o (@pedantic_fail) { | |
403 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', | |
404 | '-module', $infile, '-pedantic', "-${o}"])), | |
405 | "fipsinstall disallows -${o} after -pedantic option"); | |
406 | } | |
407 |