test: add command line indicator option checking to fipsinstall

Validate that the relevant options are on when -pedantic is specified,
off when it isn't and can be given to enable the setting.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25194)

diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index cb62122fdb71a7b56c798902f66be2f4b46b516a..905bb7bfe371e51ddc6cdecbad851325701db685 100644 (file)
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -35,7 +35,35 @@ my @pedantic_fail =
     ( 'no_conditional_errors', 'no_security_checks', 'self_test_oninstall',
       'no_pbkdf2_lower_bound_check' );
 
-plan tests => 35 + (scalar @pedantic_okay) + (scalar @pedantic_fail);
+# Command line options
+my @commandline =
+    (
+        ( 'ems_check',                      'tls1-prf-ems-check' ),
+        ( 'no_short_mac',                   'no-short-mac' ),
+        ( 'no_drbg_truncated_digests',      'drbg-no-trunc-md' ),
+        ( 'signature_digest_check',         'signature-digest-check' ),
+        ( 'hkdf_digest_check',              'hkdf-digest-check' ),
+        ( 'tls13_kdf_digest_check',         'tls13-kdf-digest-check' ),
+        ( 'tls1_prf_digest_check',          'tls1-prf-digest-check' ),
+        ( 'sshkdf_digest_check',            'sshkdf-digest-check' ),
+        ( 'sskdf_digest_check',             'sskdf-digest-check' ),
+        ( 'x963kdf_digest_check',           'x963kdf-digest-check' ),
+        ( 'dsa_sign_disabled',              'dsa-sign-disabled' ),
+        ( 'tdes_encrypt_disabled',          'tdes-encrypt-disabled' ),
+        ( 'rsa_pkcs15_padding_disabled',    'rsa-pkcs15-padding-disabled' ),
+        ( 'rsa_pss_saltlen_check',          'rsa-pss-saltlen-check' ),
+        ( 'rsa_sign_x931_disabled',         'rsa-sign-x931-pad-disabled' ),
+        ( 'hkdf_key_check',                 'hkdf-key-check' ),
+        ( 'kbkdf_key_check',                'kbkdf-key-check' ),
+        ( 'tls13_kdf_key_check',            'tls13-kdf-key-check' ),
+        ( 'tls1_prf_key_check',             'tls1-prf-key-check' ),
+        ( 'sshkdf_key_check',               'sshkdf-key-check' ),
+        ( 'sskdf_key_check',                'sskdf-key-check' ),
+        ( 'x963kdf_key_check',              'x963kdf-key-check' )
+    );
+
+plan tests => 35 + (scalar @pedantic_okay) + (scalar @pedantic_fail)
+              + 4 * (scalar @commandline);
 
 my $infile = bldtop_file('providers', platform->dso('fips'));
 my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
@@ -422,3 +450,19 @@ foreach my $o (@pedantic_fail) {
             "fipsinstall disallows -${o} after -pedantic option");
 }
 
+foreach my $cp (@commandline) {
+    my $o = $commandline[0];
+    my $l = $commandline[1];
+
+    ok(find_line_file("${l} = 1", 'fips-pedantic.cnf') == 1,
+       "fipsinstall enables ${l} with -pendantic option");
+    ok(find_line_file("${l} = 0", 'fips.cnf') == 1,
+       "fipsinstall disables ${l} without -pendantic option");
+
+    ok(run(app(['openssl', 'fipsinstall', '-out', "fips-${o}.cnf",
+                '-module', $infile, "-${o}"])),
+           "fipsinstall accepts -${o} option");
+    ok(find_line_file("${l} = 1", "fips-${o}.cnf") == 1,
+       "fipsinstall enables ${l} with -${o} option");
+}
+