1 /*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11 #include <openssl/evp.h>
12 #include <openssl/provider.h>
13 #include "testutil.h"
14
15 static int is_fips;
16 static int bad_fips;
17
test_is_fips_enabled(void)18 static int test_is_fips_enabled(void)
19 {
20 int is_fips_enabled, is_fips_loaded;
21 EVP_MD *sha256 = NULL;
22
23 /*
24 * Check we're in FIPS mode when we're supposed to be. We do this early to
25 * confirm that EVP_default_properties_is_fips_enabled() works even before
26 * other function calls have auto-loaded the config file.
27 */
28 is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL);
29 is_fips_loaded = OSSL_PROVIDER_available(NULL, "fips");
30
31 /*
32 * Check we're in an expected state. EVP_default_properties_is_fips_enabled
33 * can return true even if the FIPS provider isn't loaded - it is only based
34 * on the default properties. However we only set those properties if also
35 * loading the FIPS provider.
36 */
37 if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled)
38 || !TEST_int_eq(is_fips && !bad_fips, is_fips_loaded))
39 return 0;
40
41 /*
42 * Fetching an algorithm shouldn't change the state and should come from
43 * expected provider.
44 */
45 sha256 = EVP_MD_fetch(NULL, "SHA2-256", NULL);
46 if (bad_fips) {
47 if (!TEST_ptr_null(sha256)) {
48 EVP_MD_free(sha256);
49 return 0;
50 }
51 } else {
52 if (!TEST_ptr(sha256))
53 return 0;
54 if (is_fips
55 && !TEST_str_eq(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(sha256)),
56 "fips")) {
57 EVP_MD_free(sha256);
58 return 0;
59 }
60 EVP_MD_free(sha256);
61 }
62
63 /* State should still be consistent */
64 is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL);
65 if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled))
66 return 0;
67
68 return 1;
69 }
70
setup_tests(void)71 int setup_tests(void)
72 {
73 size_t argc;
74 char *arg1;
75
76 if (!test_skip_common_options()) {
77 TEST_error("Error parsing test options\n");
78 return 0;
79 }
80
81 argc = test_get_argument_count();
82 switch(argc) {
83 case 0:
84 is_fips = 0;
85 bad_fips = 0;
86 break;
87 case 1:
88 arg1 = test_get_argument(0);
89 if (strcmp(arg1, "fips") == 0) {
90 is_fips = 1;
91 bad_fips = 0;
92 break;
93 } else if (strcmp(arg1, "badfips") == 0) {
94 /* Configured for FIPS, but the module fails to load */
95 is_fips = 0;
96 bad_fips = 1;
97 break;
98 }
99 /* fall through */
100 default:
101 TEST_error("Invalid argument\n");
102 return 0;
103 }
104
105 /* Must be the first test before any other libcrypto calls are made */
106 ADD_TEST(test_is_fips_enabled);
107 return 1;
108 }
109