test: add command line indicator option checking to fipsinstall

Validate that the relevant options are on when -pedantic is specified, off when it isn't and can be given to enable the setting. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/25194)
2024-12-21 06:09:35 +08:00 · 2024-08-15 10:58:25 +10:00 · 2024-08-15 10:58:25 +10:00 · a0b652825c
commit a0b652825c
parent 96de408228
1 changed files with 45 additions and 1 deletions
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@ -35,7 +35,35 @@ my @pedantic_fail =
    ( 'no_conditional_errors', 'no_security_checks', 'self_test_oninstall',
      'no_pbkdf2_lower_bound_check' );

-plan tests => 35 + (scalar @pedantic_okay) + (scalar @pedantic_fail);
+# Command line options
+my @commandline =
+    (
+        ( 'ems_check',                      'tls1-prf-ems-check' ),
+        ( 'no_short_mac',                   'no-short-mac' ),
+        ( 'no_drbg_truncated_digests',      'drbg-no-trunc-md' ),
+        ( 'signature_digest_check',         'signature-digest-check' ),
+        ( 'hkdf_digest_check',              'hkdf-digest-check' ),
+        ( 'tls13_kdf_digest_check',         'tls13-kdf-digest-check' ),
+        ( 'tls1_prf_digest_check',          'tls1-prf-digest-check' ),
+        ( 'sshkdf_digest_check',            'sshkdf-digest-check' ),
+        ( 'sskdf_digest_check',             'sskdf-digest-check' ),
+        ( 'x963kdf_digest_check',           'x963kdf-digest-check' ),
+        ( 'dsa_sign_disabled',              'dsa-sign-disabled' ),
+        ( 'tdes_encrypt_disabled',          'tdes-encrypt-disabled' ),
+        ( 'rsa_pkcs15_padding_disabled',    'rsa-pkcs15-padding-disabled' ),
+        ( 'rsa_pss_saltlen_check',          'rsa-pss-saltlen-check' ),
+        ( 'rsa_sign_x931_disabled',         'rsa-sign-x931-pad-disabled' ),
+        ( 'hkdf_key_check',                 'hkdf-key-check' ),
+        ( 'kbkdf_key_check',                'kbkdf-key-check' ),
+        ( 'tls13_kdf_key_check',            'tls13-kdf-key-check' ),
+        ( 'tls1_prf_key_check',             'tls1-prf-key-check' ),
+        ( 'sshkdf_key_check',               'sshkdf-key-check' ),
+        ( 'sskdf_key_check',                'sskdf-key-check' ),
+        ( 'x963kdf_key_check',              'x963kdf-key-check' )
+    );
+
+plan tests => 35 + (scalar @pedantic_okay) + (scalar @pedantic_fail)
+              + 4 * (scalar @commandline);

 my $infile = bldtop_file('providers', platform->dso('fips'));
 my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
@ -422,3 +450,19 @@ foreach my $o (@pedantic_fail) {
            "fipsinstall disallows -${o} after -pedantic option");
 }

+foreach my $cp (@commandline) {
+    my $o = $commandline[0];
+    my $l = $commandline[1];
+
+    ok(find_line_file("${l} = 1", 'fips-pedantic.cnf') == 1,
+       "fipsinstall enables ${l} with -pendantic option");
+    ok(find_line_file("${l} = 0", 'fips.cnf') == 1,
+       "fipsinstall disables ${l} without -pendantic option");
+
+    ok(run(app(['openssl', 'fipsinstall', '-out', "fips-${o}.cnf",
+                '-module', $infile, "-${o}"])),
+           "fipsinstall accepts -${o} option");
+    ok(find_line_file("${l} = 1", "fips-${o}.cnf") == 1,
+       "fipsinstall enables ${l} with -${o} option");
+}
+