2
0

defltfips_test.c 3.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108
  1. /*
  2. * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <string.h>
  10. #include <openssl/evp.h>
  11. #include <openssl/provider.h>
  12. #include "testutil.h"
  13. static int is_fips;
  14. static int bad_fips;
  15. static int test_is_fips_enabled(void)
  16. {
  17. int is_fips_enabled, is_fips_loaded;
  18. EVP_MD *sha256 = NULL;
  19. /*
  20. * Check we're in FIPS mode when we're supposed to be. We do this early to
  21. * confirm that EVP_default_properties_is_fips_enabled() works even before
  22. * other function calls have auto-loaded the config file.
  23. */
  24. is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL);
  25. is_fips_loaded = OSSL_PROVIDER_available(NULL, "fips");
  26. /*
  27. * Check we're in an expected state. EVP_default_properties_is_fips_enabled
  28. * can return true even if the FIPS provider isn't loaded - it is only based
  29. * on the default properties. However we only set those properties if also
  30. * loading the FIPS provider.
  31. */
  32. if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled)
  33. || !TEST_int_eq(is_fips && !bad_fips, is_fips_loaded))
  34. return 0;
  35. /*
  36. * Fetching an algorithm shouldn't change the state and should come from
  37. * expected provider.
  38. */
  39. sha256 = EVP_MD_fetch(NULL, "SHA2-256", NULL);
  40. if (bad_fips) {
  41. if (!TEST_ptr_null(sha256)) {
  42. EVP_MD_free(sha256);
  43. return 0;
  44. }
  45. } else {
  46. if (!TEST_ptr(sha256))
  47. return 0;
  48. if (is_fips
  49. && !TEST_str_eq(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(sha256)),
  50. "fips")) {
  51. EVP_MD_free(sha256);
  52. return 0;
  53. }
  54. EVP_MD_free(sha256);
  55. }
  56. /* State should still be consistent */
  57. is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL);
  58. if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled))
  59. return 0;
  60. return 1;
  61. }
  62. int setup_tests(void)
  63. {
  64. size_t argc;
  65. char *arg1;
  66. if (!test_skip_common_options()) {
  67. TEST_error("Error parsing test options\n");
  68. return 0;
  69. }
  70. argc = test_get_argument_count();
  71. switch (argc) {
  72. case 0:
  73. is_fips = 0;
  74. bad_fips = 0;
  75. break;
  76. case 1:
  77. arg1 = test_get_argument(0);
  78. if (strcmp(arg1, "fips") == 0) {
  79. is_fips = 1;
  80. bad_fips = 0;
  81. break;
  82. } else if (strcmp(arg1, "badfips") == 0) {
  83. /* Configured for FIPS, but the module fails to load */
  84. is_fips = 0;
  85. bad_fips = 1;
  86. break;
  87. }
  88. /* fall through */
  89. default:
  90. TEST_error("Invalid argument\n");
  91. return 0;
  92. }
  93. /* Must be the first test before any other libcrypto calls are made */
  94. ADD_TEST(test_is_fips_enabled);
  95. return 1;
  96. }