openssl/test/fips.cnf

openssl_conf = openssl_init

# Comment out the next line to ignore configuration errors
config_diagnostics = 1

.include fipsmodule.cnf

[openssl_init]
providers = provider_sect
alg_section = evp_properties

[evp_properties]
# Ensure FIPS non-approved algorithms in the FIPS module are suppressed (e.g.
# TEST-RAND). This also means that EVP_default_properties_is_fips_enabled()
# returns the expected value
default_properties = "fips=yes"

[provider_sect]
fips = fips_sect
test/recipes/30-test_evp.t: Modify to test with different providers Different providers will give different results, and we need to test them all. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9398) 2019-07-17 20:26:26 +08:00			`openssl_conf = openssl_init`

Add config_diagnostics to our configuration files. The change to a more configuration based approach to enable FIPS mode operation highlights a shortcoming in the default should do something approach we've taken for bad configuration files. Currently, a bad configuration file will be automatically loaded and once the badness is detected, it will silently stop processing the configuration and continue normal operations. This is good for remote servers, allowing changes to be made without bricking things. It's bad when a user thinks they've configured what they want but got something wrong and it still appears to work. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16171) 2021-07-29 07:55:09 +08:00			`# Comment out the next line to ignore configuration errors`
			`config_diagnostics = 1`

Update some nits around the FIPS module - Changed the generated FIPS signature file to be "fipsmodule.conf" since it contains information about the FIPS module/file. - Add -q option to fipsinstall command, to stop chatty verbose status messages. - Document env var OPENSSL_CONF_INCLUDE Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11177) 2020-02-26 05:27:24 +08:00			`.include fipsmodule.cnf`
Add fips module integrity check Add environment variable for setting CONF .include path Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9769) 2019-09-15 17:55:10 +08:00
test/recipes/30-test_evp.t: Modify to test with different providers Different providers will give different results, and we need to test them all. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9398) 2019-07-17 20:26:26 +08:00			`[openssl_init]`
			`providers = provider_sect`
Test that EVP_default_properties_is_fips_enabled() works early We check that EVP_default_properties_is_fips_enabled() is working even before other function calls have auto-loaded the config file. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12567) 2020-08-05 21:46:48 +08:00			`alg_section = evp_properties`

			`[evp_properties]`
			`# Ensure FIPS non-approved algorithms in the FIPS module are suppressed (e.g.`
			`# TEST-RAND). This also means that EVP_default_properties_is_fips_enabled()`
			`# returns the expected value`
			`default_properties = "fips=yes"`
test/recipes/30-test_evp.t: Modify to test with different providers Different providers will give different results, and we need to test them all. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9398) 2019-07-17 20:26:26 +08:00
			`[provider_sect]`
			`fips = fips_sect`