From: Pauli <pauli@openssl.org>
Date: Mon, 17 Apr 2023 05:53:13 +0000 (+1000)
Subject: test: test -pedantic option in fipsinstall
X-Git-Tag: openssl-3.2.0-alpha1~993
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c8093347f736c7991350d26048b680d0e64974a0;p=thirdparty%2Fopenssl.git

test: test -pedantic option in fipsinstall

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)
---

diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index 91bb9a7911a..1e933c94874 100644
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -24,7 +24,15 @@ use platform;
 
 plan skip_all => "Test only supported in a fips build" if disabled("fips");
 
-plan tests => 34;
+# Compatible options for pedantic FIPS compliance
+my @pedantic_okay =
+    ( 'ems_check', 'no_drbg_truncated_digests', 'self_test_onload' );
+
+# Incompatible options for pedantic FIPS compliance
+my @pedantic_fail =
+    ( 'no_conditional_errors', 'no_security_checks', 'self_test_oninstall' );
+
+plan tests => 35 + (scalar @pedantic_okay) + (scalar @pedantic_fail);
 
 my $infile = bldtop_file('providers', platform->dso('fips'));
 my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
@@ -380,3 +388,20 @@ ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
 ok(find_line_file('drbg-no-trunc-md = 1', 'fips.cnf') == 1,
    'fipsinstall will allow option for truncated digests with DRBGs');
 
+
+ok(run(app(['openssl', 'fipsinstall', '-out', 'fips-pedantic.cnf',
+            '-module', $infile, '-pedantic'])),
+       "fipsinstall accepts -pedantic option");
+
+foreach my $o (@pedantic_okay) {
+    ok(run(app(['openssl', 'fipsinstall', '-out', "fips-${o}.cnf",
+                '-module', $infile, '-pedantic', "-${o}"])),
+           "fipsinstall accepts -${o} after -pedantic option");
+}
+
+foreach my $o (@pedantic_fail) {
+    ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf',
+                 '-module', $infile, '-pedantic', "-${o}"])),
+            "fipsinstall disallows -${o} after -pedantic option");
+}
+