176612Stshiozak/* 276612Stshiozak * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. 376612Stshiozak * 476612Stshiozak * Licensed under the Apache License 2.0 (the "License"). You may not use 576612Stshiozak * this file except in compliance with the License. You can obtain a copy 676612Stshiozak * in the file LICENSE in the source distribution or at 776612Stshiozak * https://www.openssl.org/source/license.html 876612Stshiozak */ 976612Stshiozak 1076612Stshiozak#include <string.h> 1176612Stshiozak#include <openssl/evp.h> 1276612Stshiozak#include <openssl/provider.h> 1376612Stshiozak#include "testutil.h" 1476612Stshiozak 1576612Stshiozakstatic int is_fips; 1676612Stshiozakstatic int bad_fips; 1776612Stshiozak 1876612Stshiozakstatic int test_is_fips_enabled(void) 1976612Stshiozak{ 2076612Stshiozak int is_fips_enabled, is_fips_loaded; 2176612Stshiozak EVP_MD *sha256 = NULL; 2276612Stshiozak 2376612Stshiozak /* 2476612Stshiozak * Check we're in FIPS mode when we're supposed to be. We do this early to 2576612Stshiozak * confirm that EVP_default_properties_is_fips_enabled() works even before 2676612Stshiozak * other function calls have auto-loaded the config file. 2776612Stshiozak */ 2876612Stshiozak is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL); 2976612Stshiozak is_fips_loaded = OSSL_PROVIDER_available(NULL, "fips"); 3092986Sobrien 3176612Stshiozak /* 3276612Stshiozak * Check we're in an expected state. EVP_default_properties_is_fips_enabled 3376612Stshiozak * can return true even if the FIPS provider isn't loaded - it is only based 3492986Sobrien * on the default properties. However we only set those properties if also 3586170Sobrien * loading the FIPS provider. 3676612Stshiozak */ 3776612Stshiozak if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled) 3876612Stshiozak || !TEST_int_eq(is_fips && !bad_fips, is_fips_loaded)) 3976612Stshiozak return 0; 40188080Sdanger 4176612Stshiozak /* 4276612Stshiozak * Fetching an algorithm shouldn't change the state and should come from 4376612Stshiozak * expected provider. 4476612Stshiozak */ 4576612Stshiozak sha256 = EVP_MD_fetch(NULL, "SHA2-256", NULL); 4676612Stshiozak if (bad_fips) { 4776612Stshiozak if (!TEST_ptr_null(sha256)) { 4876612Stshiozak EVP_MD_free(sha256); 4976612Stshiozak return 0; 5076612Stshiozak } 5176612Stshiozak } else { 5276612Stshiozak if (!TEST_ptr(sha256)) 53 return 0; 54 if (is_fips 55 && !TEST_str_eq(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(sha256)), 56 "fips")) { 57 EVP_MD_free(sha256); 58 return 0; 59 } 60 EVP_MD_free(sha256); 61 } 62 63 /* State should still be consistent */ 64 is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL); 65 if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled)) 66 return 0; 67 68 return 1; 69} 70 71int setup_tests(void) 72{ 73 size_t argc; 74 char *arg1; 75 76 if (!test_skip_common_options()) { 77 TEST_error("Error parsing test options\n"); 78 return 0; 79 } 80 81 argc = test_get_argument_count(); 82 switch(argc) { 83 case 0: 84 is_fips = 0; 85 bad_fips = 0; 86 break; 87 case 1: 88 arg1 = test_get_argument(0); 89 if (strcmp(arg1, "fips") == 0) { 90 is_fips = 1; 91 bad_fips = 0; 92 break; 93 } else if (strcmp(arg1, "badfips") == 0) { 94 /* Configured for FIPS, but the module fails to load */ 95 is_fips = 0; 96 bad_fips = 1; 97 break; 98 } 99 /* fall through */ 100 default: 101 TEST_error("Invalid argument\n"); 102 return 0; 103 } 104 105 /* Must be the first test before any other libcrypto calls are made */ 106 ADD_TEST(test_is_fips_enabled); 107 return 1; 108} 109