http_test servername_test ocspapitest fatalerrtest tls13ccstest \
sysdefaulttest errtest ssl_ctx_test gosttest \
context_internal_test aesgcmtest params_test evp_pkey_dparams_test \
- keymgmt_internal_test hexstr_test provider_status_test
+ keymgmt_internal_test hexstr_test provider_status_test defltfips_test
IF[{- !$disabled{'deprecated-3.0'} -}]
PROGRAMS{noinst}=enginetest
INCLUDE[sslapitest]=../include ../apps/include ..
DEPEND[sslapitest]=../libcrypto ../libssl libtestutil.a
+ SOURCE[defltfips_test]=defltfips_test.c
+ INCLUDE[defltfips_test]=../include ../apps/include
+ DEPEND[defltfips_test]=../libcrypto libtestutil.a
+
SOURCE[ocspapitest]=ocspapitest.c
INCLUDE[ocspapitest]=../include ../apps/include
DEPEND[ocspapitest]=../libcrypto libtestutil.a
--- /dev/null
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/provider.h>
+#include "testutil.h"
+
+static int is_fips;
+
+static int test_is_fips_enabled(void)
+{
+ int is_fips_enabled, is_fips_loaded;
+ EVP_MD *sha256 = NULL;
+
+ /*
+ * Check we're in FIPS mode when we're supposed to be. We do this early to
+ * confirm that EVP_default_properties_is_fips_enabled() works even before
+ * other function calls have auto-loaded the config file.
+ */
+ is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL);
+ is_fips_loaded = OSSL_PROVIDER_available(NULL, "fips");
+
+ /*
+ * Check we're in an expected state. EVP_default_properties_is_fips_enabled
+ * can return true even if the FIPS provider isn't loaded - it is only based
+ * on the default properties. However we only set those properties if also
+ * loading the FIPS provider.
+ */
+ if (!TEST_int_eq(is_fips, is_fips_enabled)
+ || !TEST_int_eq(is_fips, is_fips_loaded))
+ return 0;
+
+ /*
+ * Fetching an algorithm shouldn't change the state and should come from
+ * expected provider.
+ */
+ sha256 = EVP_MD_fetch(NULL, "SHA2-256", NULL);
+ if (!TEST_ptr(sha256))
+ return 0;
+ if (is_fips
+ && !TEST_str_eq(OSSL_PROVIDER_name(EVP_MD_provider(sha256)), "fips")) {
+ EVP_MD_free(sha256);
+ return 0;
+ }
+ EVP_MD_free(sha256);
+
+ /* State should still be consistent */
+ is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL);
+ if (!TEST_int_eq(is_fips, is_fips_enabled))
+ return 0;
+
+ return 1;
+}
+
+int setup_tests(void)
+{
+ size_t argc;
+
+ if (!test_skip_common_options()) {
+ TEST_error("Error parsing test options\n");
+ return 0;
+ }
+
+ argc = test_get_argument_count();
+ switch(argc) {
+ case 0:
+ is_fips = 0;
+ break;
+ case 1:
+ if (strcmp(test_get_argument(0), "fips") == 0) {
+ is_fips = 1;
+ break;
+ }
+ /* fall through */
+ default:
+ TEST_error("Invalid argument\n");
+ return 0;
+ }
+
+ /* Must be the first test before any other libcrypto calls are made */
+ ADD_TEST(test_is_fips_enabled);
+ return 1;
+}
if (!TEST_ptr(rdata = OPENSSL_zalloc(sizeof(*rdata))))
return 0;
- rand = EVP_RAND_fetch(libctx, "TEST-RAND", NULL);
+ /* TEST-RAND is available in the FIPS provider but not with "fips=yes" */
+ rand = EVP_RAND_fetch(libctx, "TEST-RAND", "-fips");
if (rand == NULL)
goto err;
rdata->parent = EVP_RAND_CTX_new(rand, NULL);
[openssl_init]
providers = provider_sect
+alg_section = evp_properties
+
+[evp_properties]
+# Ensure FIPS non-approved algorithms in the FIPS module are suppressed (e.g.
+# TEST-RAND). This also means that EVP_default_properties_is_fips_enabled()
+# returns the expected value
+default_properties = "fips=yes"
[provider_sect]
fips = fips_sect
--- /dev/null
+#! /usr/bin/env perl
+# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use strict;
+use warnings;
+
+use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_file bldtop_dir/;
+use OpenSSL::Test::Utils;
+use Cwd qw(abs_path);
+
+BEGIN {
+ setup("test_evp");
+}
+
+use lib srctop_dir('Configurations');
+use lib bldtop_dir('.');
+use platform;
+
+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+
+plan tests =>
+ ($no_fips ? 1 : 3);
+
+unless ($no_fips) {
+ my $infile = bldtop_file('providers', platform->dso('fips'));
+
+ ok(run(app(['openssl', 'fipsinstall',
+ '-out', bldtop_file('providers', 'fipsmodule.cnf'),
+ '-module', $infile])),
+ "fipsinstall");
+
+ $ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "fips.cnf"));
+ ok(run(test(["defltfips_test", "fips"])), "running defltfips_test fips");
+}
+
+$ENV{OPENSSL_CONF} = abs_path(srctop_file("test", "default.cnf"));
+ok(run(test(["defltfips_test"])), "running defltfips_test");
};
static const OSSL_ALGORITHM tls_prov_keyexch[] = {
- { "XOR", "provider=tls-provider", xor_keyexch_functions },
+ /*
+ * Obviously this is not FIPS approved, but in order to test in conjuction
+ * with the FIPS provider we pretend that it is.
+ */
+ { "XOR", "provider=tls-provider,fips=yes", xor_keyexch_functions },
{ NULL, NULL, NULL }
};
};
static const OSSL_ALGORITHM tls_prov_keymgmt[] = {
- { "XOR", "provider=tls-provider", xor_keymgmt_functions },
+ /*
+ * Obviously this is not FIPS approved, but in order to test in conjuction
+ * with the FIPS provider we pretend that it is.
+ */
+ { "XOR", "provider=tls-provider,fips=yes", xor_keymgmt_functions },
{ NULL, NULL, NULL }
};
projects / thirdparty / openssl.git / commitdiff
