evp_test: check MAC FIPS approved flag

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

diff --git a/test/evp_test.c b/test/evp_test.c
index b44842bc917521e130b1cc95e79e19a71f50e8bd..5d720d56e01b1af5741ac0eedf16b871d6628468 100644 (file)
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -126,6 +126,22 @@ static int check_fips_approved(EVP_TEST *t, int approved)
     return 1;
 }
 
+static int mac_check_fips_approved(EVP_MAC_CTX *ctx, EVP_TEST *t)
+{
+    OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+    /*
+     * For any getters that do not handle the FIPS indicator assume a default
+     * value of approved.
+     */
+    int approved = 1;
+
+    params[0] = OSSL_PARAM_construct_int(OSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR,
+                                         &approved);
+    if (!EVP_MAC_CTX_get_params(ctx, params))
+        return 0;
+    return check_fips_approved(t, approved);
+}
+
 static int pkey_check_fips_approved(EVP_PKEY_CTX *ctx, EVP_TEST *t)
 {
     OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
@@ -1964,6 +1980,8 @@ static int mac_test_run_mac(EVP_TEST *t)
             t->err = "TEST_MAC_ERR";
             goto err;
         }
+        if (!mac_check_fips_approved(ctx, t))
+            goto err;
     }
     /* FIPS(3.0.0): can't reinitialise MAC contexts #18100 */
     if (reinit-- && fips_provider_version_gt(libctx, 3, 0, 0)) {