From: Pauli <pauli@openssl.org>
Date: Tue, 18 Apr 2023 01:11:17 +0000 (+1000)
Subject: fips: setup the FIPS provider in pendantic mode for testing
X-Git-Tag: openssl-3.2.0-alpha1~981
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c04e78f0c69201226430fed14c291c281da47f2d;p=thirdparty%2Fopenssl.git

fips: setup the FIPS provider in pendantic mode for testing

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)
---

diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t
index 8d53e8a40fd..bf1b0c8081a 100644
--- a/test/recipes/00-prep_fipsmodule_cnf.t
+++ b/test/recipes/00-prep_fipsmodule_cnf.t
@@ -30,7 +30,7 @@ my $fipsmoduleconf = bldtop_file('test', 'fipsmodule.cnf');
 plan tests => 1;
 
 # Create the $fipsmoduleconf file
-ok(run(app(['openssl', 'fipsinstall',
+ok(run(app(['openssl', 'fipsinstall', '-pedantic',
             '-module', $fipsmodule, '-provider_name', 'fips',
             '-section_name', 'fips_sect', '-out', $fipsmoduleconf])),
    "fips install");
diff --git a/util/mk-fipsmodule-cnf.pl b/util/mk-fipsmodule-cnf.pl
index 6a86e06b8b5..b4ab729914c 100644
--- a/util/mk-fipsmodule-cnf.pl
+++ b/util/mk-fipsmodule-cnf.pl
@@ -8,9 +8,14 @@
 
 use Getopt::Long;
 
-my $activate = 1;
+# Module options for pedantic FIPS mode
+# self_test_onload happens if install_mac isn't included, don't add it below
 my $conditional_errors = 1;
 my $security_checks = 1;
+my $ems_check = 0;
+my $drgb_no_trunc_dgst = 0;
+
+my $activate = 1;
 my $mac_key;
 my $module_name;
 my $section_name = "fips_sect";
@@ -40,5 +45,7 @@ print <<_____;
 activate = $activate
 conditional-errors = $conditional_errors
 security-checks = $security_checks
+ems_check = $ems_check
+drgb_no_trunc_dgst = $drgb_no_trunc_dgst
 module-mac = $module_mac
 _____