Change expected test failures in FIPs mode.

Expecting fail in FIPs mode of test-pkcs11-tool-unwrap-wrap-test.sh test
since it FIPs mode OpenSSL doesn't allow RSA-PKCS.

.github/setup-fedora.sh

@@ -20,7 +20,15 @@ fi
 
 sudo dnf install -y $DEPS
 
-sed -i -e '/XFAIL_TESTS/,$ {
-  s/XFAIL_TESTS.*/XFAIL_TESTS=test-pkcs11-tool-test-threads.sh test-pkcs11-tool-test.sh/
+XFAIL_TESTS="test-pkcs11-tool-test-threads.sh test-pkcs11-tool-test.sh"
+
+# In FIPS mode, OpenSSL doesn't allow RSA-PKCS, this is hardcoded into OpenSSL
+# and we cannot influence it. Hence, the test is expected to fail in FIPS mode.
+if [[ -f "/proc/sys/crypto/fips_enabled" && $(cat /proc/sys/crypto/fips_enabled) == "1" ]]; then
+	XFAIL_TESTS+=" test-pkcs11-tool-unwrap-wrap-test.sh test-p11test.sh"
+fi
+
+sed -i -e "/XFAIL_TESTS/,$ {
+  s/XFAIL_TESTS.*/XFAIL_TESTS=$XFAIL_TESTS/
   q
-}' tests/Makefile.am
+}" tests/Makefile.am

packaging/opensc.spec

@@ -44,10 +44,18 @@ every software/card that does so, too.
 %setup -q
 
 # The test-pkcs11-tool-allowed-mechanisms already works in Fedora
-sed -i -e '/XFAIL_TESTS/,$ {
-  s/XFAIL_TESTS.*/XFAIL_TESTS=test-pkcs11-tool-test-threads.sh test-pkcs11-tool-test.sh/
+XFAIL_TESTS="test-pkcs11-tool-test-threads.sh test-pkcs11-tool-test.sh"
+
+# In FIPS mode, OpenSSL doesn't allow RSA-PKCS, this is hardcoded into OpenSSL
+# and we cannot influence it. Hence, the test is expected to fail in FIPS mode.
+if [[ -f "/proc/sys/crypto/fips_enabled" && $(cat /proc/sys/crypto/fips_enabled) == "1" ]]; then
+	XFAIL_TESTS+=" test-pkcs11-tool-unwrap-wrap-test.sh test-p11test.sh"
+fi
+
+sed -i -e "/XFAIL_TESTS/,$ {
+  s/XFAIL_TESTS.*/XFAIL_TESTS=$XFAIL_TESTS/
   q
-}' tests/Makefile.am
+}" tests/Makefile.am
 
 
 cp -p src/pkcs15init/README ./README.pkcs15init