test: test -pedantic option in fipsinstall

Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20752)
2023-04-17 15:53:13 +10:00 · 2023-04-17 15:53:13 +10:00 · c8093347f7
commit c8093347f7
parent d30fec6ff4
1 changed files with 26 additions and 1 deletions
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@ -24,7 +24,15 @@ use platform;

 plan skip_all => "Test only supported in a fips build" if disabled("fips");

-plan tests => 34;
+# Compatible options for pedantic FIPS compliance
+my @pedantic_okay =
+    ( 'ems_check', 'no_drbg_truncated_digests', 'self_test_onload' );
+
+# Incompatible options for pedantic FIPS compliance
+my @pedantic_fail =
+    ( 'no_conditional_errors', 'no_security_checks', 'self_test_oninstall' );
+
+plan tests => 35 + (scalar @pedantic_okay) + (scalar @pedantic_fail);

 my $infile = bldtop_file('providers', platform->dso('fips'));
 my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
@ -380,3 +388,20 @@ ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
 ok(find_line_file('drbg-no-trunc-md = 1', 'fips.cnf') == 1,
   'fipsinstall will allow option for truncated digests with DRBGs');

+
+ok(run(app(['openssl', 'fipsinstall', '-out', 'fips-pedantic.cnf',
+            '-module', $infile, '-pedantic'])),
+       "fipsinstall accepts -pedantic option");
+
+foreach my $o (@pedantic_okay) {
+    ok(run(app(['openssl', 'fipsinstall', '-out', "fips-${o}.cnf",
+                '-module', $infile, '-pedantic', "-${o}"])),
+           "fipsinstall accepts -${o} after -pedantic option");
+}
+
+foreach my $o (@pedantic_fail) {
+    ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf',
+                 '-module', $infile, '-pedantic', "-${o}"])),
+            "fipsinstall disallows -${o} after -pedantic option");
+}
+