1/*
2 * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License").  You may not use
5 * this file except in compliance with the License.  You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <string.h>
11#include <openssl/evp.h>
12#include <openssl/provider.h>
13#include "testutil.h"
14
15static int is_fips;
16static int bad_fips;
17
18static int test_is_fips_enabled(void)
19{
20    int is_fips_enabled, is_fips_loaded;
21    EVP_MD *sha256 = NULL;
22
23    /*
24     * Check we're in FIPS mode when we're supposed to be. We do this early to
25     * confirm that EVP_default_properties_is_fips_enabled() works even before
26     * other function calls have auto-loaded the config file.
27     */
28    is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL);
29    is_fips_loaded = OSSL_PROVIDER_available(NULL, "fips");
30
31    /*
32     * Check we're in an expected state. EVP_default_properties_is_fips_enabled
33     * can return true even if the FIPS provider isn't loaded - it is only based
34     * on the default properties. However we only set those properties if also
35     * loading the FIPS provider.
36     */
37    if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled)
38            || !TEST_int_eq(is_fips && !bad_fips, is_fips_loaded))
39        return 0;
40
41    /*
42     * Fetching an algorithm shouldn't change the state and should come from
43     * expected provider.
44     */
45    sha256 = EVP_MD_fetch(NULL, "SHA2-256", NULL);
46    if (bad_fips) {
47        if (!TEST_ptr_null(sha256)) {
48            EVP_MD_free(sha256);
49            return 0;
50        }
51    } else {
52        if (!TEST_ptr(sha256))
53            return 0;
54        if (is_fips
55            && !TEST_str_eq(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(sha256)),
56                            "fips")) {
57            EVP_MD_free(sha256);
58            return 0;
59        }
60        EVP_MD_free(sha256);
61    }
62
63    /* State should still be consistent */
64    is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL);
65    if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled))
66        return 0;
67
68    return 1;
69}
70
71int setup_tests(void)
72{
73    size_t argc;
74    char *arg1;
75
76    if (!test_skip_common_options()) {
77        TEST_error("Error parsing test options\n");
78        return 0;
79    }
80
81    argc = test_get_argument_count();
82    switch(argc) {
83    case 0:
84        is_fips = 0;
85        bad_fips = 0;
86        break;
87    case 1:
88        arg1 = test_get_argument(0);
89        if (strcmp(arg1, "fips") == 0) {
90            is_fips = 1;
91            bad_fips = 0;
92            break;
93        } else if (strcmp(arg1, "badfips") == 0) {
94            /* Configured for FIPS, but the module fails to load */
95            is_fips = 0;
96            bad_fips = 1;
97            break;
98        }
99        /* fall through */
100    default:
101        TEST_error("Invalid argument\n");
102        return 0;
103    }
104
105    /* Must be the first test before any other libcrypto calls are made */
106    ADD_TEST(test_is_fips_enabled);
107    return 1;
108}
109