From: Pauli <ppzgs1@gmail.com>
Date: Thu, 11 Jul 2024 00:54:05 +0000 (+1000)
Subject: Add unit tests for the TEST-RAND FIPS indicator
X-Git-Tag: openssl-3.4.0-alpha1~333
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df32ba9e921f8cc06da94f414b437c8896520a58;p=thirdparty%2Fopenssl.git

Add unit tests for the TEST-RAND FIPS indicator

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24851)
---

diff --git a/test/rand_test.c b/test/rand_test.c
index 9f96b9b6dbb..cc0622cec6c 100644
--- a/test/rand_test.c
+++ b/test/rand_test.c
@@ -17,6 +17,8 @@
 static int test_rand(void)
 {
     EVP_RAND_CTX *privctx;
+    const OSSL_PROVIDER *prov;
+    int indicator = 1;
     OSSL_PARAM params[2], *p = params;
     unsigned char entropy1[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 };
     unsigned char entropy2[] = { 0xff, 0xfe, 0xfd };
@@ -42,6 +44,17 @@ static int test_rand(void)
             || !TEST_int_gt(RAND_priv_bytes(outbuf, sizeof(outbuf)), 0)
             || !TEST_mem_eq(outbuf, sizeof(outbuf), entropy2, sizeof(outbuf)))
         return 0;
+
+    /* Verify that the FIPS indicator can be read and is false */
+    prov = EVP_RAND_get0_provider(EVP_RAND_CTX_get0_rand(privctx));
+    if (prov != NULL
+            && strcmp(OSSL_PROVIDER_get0_name(prov), "fips") == 0) {
+        params[0] = OSSL_PARAM_construct_int(OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR,
+                                             &indicator);
+        if (!TEST_true(EVP_RAND_CTX_get_params(privctx, params))
+                || !TEST_int_eq(indicator, 0))
+            return 0;
+    }
     return 1;
 }
 
@@ -78,8 +91,14 @@ static int test_rand_uniform(void)
 
 int setup_tests(void)
 {
-    if (!TEST_true(RAND_set_DRBG_type(NULL, "TEST-RAND", NULL, NULL, NULL)))
+    char *configfile;
+
+    if (!TEST_ptr(configfile = test_get_argument(0))
+            || !TEST_true(RAND_set_DRBG_type(NULL, "TEST-RAND", "fips=no",
+                                             NULL, NULL))
+            || !TEST_true(OSSL_LIB_CTX_load_config(NULL, configfile)))
         return 0;
+
     ADD_TEST(test_rand);
     ADD_TEST(test_rand_uniform);
     return 1;
diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t
index dac37b8fd13..94a2749c7b6 100644
--- a/test/recipes/05-test_rand.t
+++ b/test/recipes/05-test_rand.t
@@ -10,11 +10,19 @@ use strict;
 use warnings;
 use OpenSSL::Test;
 use OpenSSL::Test::Utils;
+use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
-plan tests => 5;
+plan tests => 6;
 setup("test_rand");
 
-ok(run(test(["rand_test"])));
+ok(run(test(["rand_test", srctop_file("test", "default.cnf")])));
+
+SKIP: {
+    skip "Skipping FIPS test in this build", 1 if disabled('fips');
+
+    ok(run(test(["rand_test", srctop_file("test", "fips.cnf")])));
+}
+
 ok(run(test(["drbgtest"])));
 ok(run(test(["rand_status_test"])));