test: test -pedantic option in fipsinstall

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)

diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index 91bb9a7911aadf8c586b384604f1c97096319f07..1e933c94874f5b56ee2d6480c0ff7cd2ed51efec 100644 (file)
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -24,7 +24,15 @@ use platform;
 
 plan skip_all => "Test only supported in a fips build" if disabled("fips");
 
-plan tests => 34;
+# Compatible options for pedantic FIPS compliance
+my @pedantic_okay =
+    ( 'ems_check', 'no_drbg_truncated_digests', 'self_test_onload' );
+
+# Incompatible options for pedantic FIPS compliance
+my @pedantic_fail =
+    ( 'no_conditional_errors', 'no_security_checks', 'self_test_oninstall' );
+
+plan tests => 35 + (scalar @pedantic_okay) + (scalar @pedantic_fail);
 
 my $infile = bldtop_file('providers', platform->dso('fips'));
 my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
@@ -380,3 +388,20 @@ ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
 ok(find_line_file('drbg-no-trunc-md = 1', 'fips.cnf') == 1,
    'fipsinstall will allow option for truncated digests with DRBGs');
 
+
+ok(run(app(['openssl', 'fipsinstall', '-out', 'fips-pedantic.cnf',
+            '-module', $infile, '-pedantic'])),
+       "fipsinstall accepts -pedantic option");
+
+foreach my $o (@pedantic_okay) {
+    ok(run(app(['openssl', 'fipsinstall', '-out', "fips-${o}.cnf",
+                '-module', $infile, '-pedantic', "-${o}"])),
+           "fipsinstall accepts -${o} after -pedantic option");
+}
+
+foreach my $o (@pedantic_fail) {
+    ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf',
+                 '-module', $infile, '-pedantic', "-${o}"])),
+            "fipsinstall disallows -${o} after -pedantic option");
+}
+