xref: /freebsd/crypto/openssl/test/defltfips_test.c (revision e0c4386e7e71d93b0edc0c8fa156263fc4a8b0b6)
1 /*
2  * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <string.h>
11 #include <openssl/evp.h>
12 #include <openssl/provider.h>
13 #include "testutil.h"
14 
15 static int is_fips;
16 static int bad_fips;
17 
test_is_fips_enabled(void)18 static int test_is_fips_enabled(void)
19 {
20     int is_fips_enabled, is_fips_loaded;
21     EVP_MD *sha256 = NULL;
22 
23     /*
24      * Check we're in FIPS mode when we're supposed to be. We do this early to
25      * confirm that EVP_default_properties_is_fips_enabled() works even before
26      * other function calls have auto-loaded the config file.
27      */
28     is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL);
29     is_fips_loaded = OSSL_PROVIDER_available(NULL, "fips");
30 
31     /*
32      * Check we're in an expected state. EVP_default_properties_is_fips_enabled
33      * can return true even if the FIPS provider isn't loaded - it is only based
34      * on the default properties. However we only set those properties if also
35      * loading the FIPS provider.
36      */
37     if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled)
38             || !TEST_int_eq(is_fips && !bad_fips, is_fips_loaded))
39         return 0;
40 
41     /*
42      * Fetching an algorithm shouldn't change the state and should come from
43      * expected provider.
44      */
45     sha256 = EVP_MD_fetch(NULL, "SHA2-256", NULL);
46     if (bad_fips) {
47         if (!TEST_ptr_null(sha256)) {
48             EVP_MD_free(sha256);
49             return 0;
50         }
51     } else {
52         if (!TEST_ptr(sha256))
53             return 0;
54         if (is_fips
55             && !TEST_str_eq(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(sha256)),
56                             "fips")) {
57             EVP_MD_free(sha256);
58             return 0;
59         }
60         EVP_MD_free(sha256);
61     }
62 
63     /* State should still be consistent */
64     is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL);
65     if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled))
66         return 0;
67 
68     return 1;
69 }
70 
setup_tests(void)71 int setup_tests(void)
72 {
73     size_t argc;
74     char *arg1;
75 
76     if (!test_skip_common_options()) {
77         TEST_error("Error parsing test options\n");
78         return 0;
79     }
80 
81     argc = test_get_argument_count();
82     switch(argc) {
83     case 0:
84         is_fips = 0;
85         bad_fips = 0;
86         break;
87     case 1:
88         arg1 = test_get_argument(0);
89         if (strcmp(arg1, "fips") == 0) {
90             is_fips = 1;
91             bad_fips = 0;
92             break;
93         } else if (strcmp(arg1, "badfips") == 0) {
94             /* Configured for FIPS, but the module fails to load */
95             is_fips = 0;
96             bad_fips = 1;
97             break;
98         }
99         /* fall through */
100     default:
101         TEST_error("Invalid argument\n");
102         return 0;
103     }
104 
105     /* Must be the first test before any other libcrypto calls are made */
106     ADD_TEST(test_is_fips_enabled);
107     return 1;
108 }
109