| 1 | #include <string.h>
|
|---|
| 2 | #include <openssl/evp.h>
|
|---|
| 3 | #include <openssl/provider.h>
|
|---|
| 4 | #include "testutil.h"
|
|---|
| 5 |
|
|---|
| 6 | static int is_fips;
|
|---|
| 7 | static int bad_fips;
|
|---|
| 8 |
|
|---|
| 9 | static int test_is_fips_enabled(void)
|
|---|
| 10 | {
|
|---|
| 11 | int is_fips_enabled, is_fips_loaded;
|
|---|
| 12 | EVP_MD *sha256 = NULL;
|
|---|
| 13 |
|
|---|
| 14 | /*
|
|---|
| 15 | * Check we're in FIPS mode when we're supposed to be. We do this early to
|
|---|
| 16 | * confirm that EVP_default_properties_is_fips_enabled() works even before
|
|---|
| 17 | * other function calls have auto-loaded the config file.
|
|---|
| 18 | */
|
|---|
| 19 | is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL);
|
|---|
| 20 | is_fips_loaded = OSSL_PROVIDER_available(NULL, "fips");
|
|---|
| 21 |
|
|---|
| 22 | /*
|
|---|
| 23 | * Check we're in an expected state. EVP_default_properties_is_fips_enabled
|
|---|
| 24 | * can return true even if the FIPS provider isn't loaded - it is only based
|
|---|
| 25 | * on the default properties. However we only set those properties if also
|
|---|
| 26 | * loading the FIPS provider.
|
|---|
| 27 | */
|
|---|
| 28 | if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled)
|
|---|
| 29 | || !TEST_int_eq(is_fips && !bad_fips, is_fips_loaded))
|
|---|
| 30 | return 0;
|
|---|
| 31 |
|
|---|
| 32 | /*
|
|---|
| 33 | * Fetching an algorithm shouldn't change the state and should come from
|
|---|
| 34 | * expected provider.
|
|---|
| 35 | */
|
|---|
| 36 | sha256 = EVP_MD_fetch(NULL, "SHA2-256", NULL);
|
|---|
| 37 | if (bad_fips) {
|
|---|
| 38 | if (!TEST_ptr_null(sha256)) {
|
|---|
| 39 | EVP_MD_free(sha256);
|
|---|
| 40 | return 0;
|
|---|
| 41 | }
|
|---|
| 42 | } else {
|
|---|
| 43 | if (!TEST_ptr(sha256))
|
|---|
| 44 | return 0;
|
|---|
| 45 | if (is_fips
|
|---|
| 46 | && !TEST_str_eq(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(sha256)),
|
|---|
| 47 | "fips")) {
|
|---|
| 48 | EVP_MD_free(sha256);
|
|---|
| 49 | return 0;
|
|---|
| 50 | }
|
|---|
| 51 | EVP_MD_free(sha256);
|
|---|
| 52 | }
|
|---|
| 53 |
|
|---|
| 54 | /* State should still be consistent */
|
|---|
| 55 | is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL);
|
|---|
| 56 | if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled))
|
|---|
| 57 | return 0;
|
|---|
| 58 |
|
|---|
| 59 | return 1;
|
|---|
| 60 | }
|
|---|
| 61 |
|
|---|
| 62 | int setup_tests(void)
|
|---|
| 63 | {
|
|---|
| 64 | size_t argc;
|
|---|
| 65 | char *arg1;
|
|---|
| 66 |
|
|---|
| 67 | if (!test_skip_common_options()) {
|
|---|
| 68 | TEST_error("Error parsing test options\n");
|
|---|
| 69 | return 0;
|
|---|
| 70 | }
|
|---|
| 71 |
|
|---|
| 72 | argc = test_get_argument_count();
|
|---|
| 73 | switch(argc) {
|
|---|
| 74 | case 0:
|
|---|
| 75 | is_fips = 0;
|
|---|
| 76 | bad_fips = 0;
|
|---|
| 77 | break;
|
|---|
| 78 | case 1:
|
|---|
| 79 | arg1 = test_get_argument(0);
|
|---|
| 80 | if (strcmp(arg1, "fips") == 0) {
|
|---|
| 81 | is_fips = 1;
|
|---|
| 82 | bad_fips = 0;
|
|---|
| 83 | break;
|
|---|
| 84 | } else if (strcmp(arg1, "badfips") == 0) {
|
|---|
| 85 | /* Configured for FIPS, but the module fails to load */
|
|---|
| 86 | is_fips = 0;
|
|---|
| 87 | bad_fips = 1;
|
|---|
| 88 | break;
|
|---|
| 89 | }
|
|---|
| 90 | /* fall through */
|
|---|
| 91 | default:
|
|---|
| 92 | TEST_error("Invalid argument\n");
|
|---|
| 93 | return 0;
|
|---|
| 94 | }
|
|---|
| 95 |
|
|---|
| 96 | /* Must be the first test before any other libcrypto calls are made */
|
|---|
| 97 | ADD_TEST(test_is_fips_enabled);
|
|---|
| 98 | return 1;
|
|---|
| 99 | }
|
|---|
