fips: setup the FIPS provider in pendantic mode for testing

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)

diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
index 8d53e8a40fdbd953dd840326ea946b2ec506c816..bf1b0c8081ae30a5854ee55a77c65c9bc5201bc8 100644 (file)
--- a/test/recipes/00-prep_fipsmodule_cnf.t
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
@@ -30,7 +30,7 @@ my $fipsmoduleconf = bldtop_file('test', 'fipsmodule.cnf');
 plan tests => 1;
 
 # Create the $fipsmoduleconf file
-ok(run(app(['openssl', 'fipsinstall',
+ok(run(app(['openssl', 'fipsinstall', '-pedantic',
             '-module', $fipsmodule, '-provider_name', 'fips',
             '-section_name', 'fips_sect', '-out', $fipsmoduleconf])),
    "fips install");

diff --git a/util/mk-fipsmodule-cnf.pl b/util/mk-fipsmodule-cnf.pl
index 6a86e06b8b514a843c92ef2e26c87826ff4bd5bd..b4ab729914cda1bae9380fe04551cccb67bec740 100644 (file)
--- a/util/mk-fipsmodule-cnf.pl
+++ b/util/mk-fipsmodule-cnf.pl
@@ -8,9 +8,14 @@
 
 use Getopt::Long;
 
-my $activate = 1;
+# Module options for pedantic FIPS mode
+# self_test_onload happens if install_mac isn't included, don't add it below
 my $conditional_errors = 1;
 my $security_checks = 1;
+my $ems_check = 0;
+my $drgb_no_trunc_dgst = 0;
+
+my $activate = 1;
 my $mac_key;
 my $module_name;
 my $section_name = "fips_sect";
@@ -40,5 +45,7 @@ print <<_____;
 activate = $activate
 conditional-errors = $conditional_errors
 security-checks = $security_checks
+ems_check = $ems_check
+drgb_no_trunc_dgst = $drgb_no_trunc_dgst
 module-mac = $module_mac
 _____