Runtime detect FIPS RNG usage in test

Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19237)
2025-01-12 13:36:28 +08:00 · 2022-09-19 10:47:06 +10:00 · 2022-09-19 10:47:06 +10:00 · c91f972c9f
commit c91f972c9f
parent 3fd255acb7
1 changed files with 18 additions and 29 deletions
--- a/test/drbgtest.c
+++ b/test/drbgtest.c
@ -132,15 +132,23 @@ static time_t reseed_time(EVP_RAND_CTX *drbg)

 /*
 * When building the FIPS module, it isn't possible to disable the continuous
- * RNG tests.  Tests that require this are skipped.
+ * RNG tests.  Tests that require this are skipped and this means a detection
+ * mechanism for the FIPS provider being in use.
 */
-static int crngt_skip(void)
+static int using_fips_rng(void)
 {
-#ifdef FIPS_MODULE
-    return 1;
-#else
-    return 0;
-#endif
+    EVP_RAND_CTX *primary = RAND_get0_primary(NULL);
+    const OSSL_PROVIDER *prov;
+    const char *name;
+
+    if (!TEST_ptr(primary))
+        return 0;
+
+    prov = EVP_RAND_get0_provider(EVP_RAND_CTX_get0_rand(primary));
+    if (!TEST_ptr(prov))
+        return 0;
+    name = OSSL_PROVIDER_get0_name(prov);
+    return strcmp(name, "OpenSSL FIPS Provider") == 0;
 }

 /*
@ -540,7 +548,7 @@ static int test_rand_fork_safety(int i)

 /*
 * Test whether the default rand_method (RAND_OpenSSL()) is
- * setup correctly, in particular whether reseeding  works
+ * setup correctly, in particular whether reseeding works
 * as designed.
 */
 static int test_rand_reseed(void)
@ -550,7 +558,7 @@ static int test_rand_reseed(void)
    int rv = 0;
    time_t before_reseed;

-    if (crngt_skip())
+    if (using_fips_rng())
        return TEST_skip("CRNGT cannot be disabled");

 #ifndef OPENSSL_NO_DEPRECATED_3_0
@ -582,7 +590,6 @@ static int test_rand_reseed(void)
    EVP_RAND_uninstantiate(private);
    EVP_RAND_uninstantiate(public);

-
    /*
     * Test initial seeding of shared DRBGs
     */
@ -592,7 +599,6 @@ static int test_rand_reseed(void)
                                    1, 1, 1, 0)))
        goto error;

-
    /*
     * Test initial state of shared DRBGs
     */
@ -640,7 +646,6 @@ static int test_rand_reseed(void)
    /* fill 'randomness' buffer with some arbitrary data */
    memset(rand_add_buf, 'r', sizeof(rand_add_buf));

-#ifndef FIPS_MODULE
    /*
     * Test whether all three DRBGs are reseeded by RAND_add().
     * The before_reseed time has to be measured here and passed into the
@ -657,22 +662,6 @@ static int test_rand_reseed(void)
                                    1, 1, 1,
                                    before_reseed)))
        goto error;
-#else /* FIPS_MODULE */
-    /*
-     * In FIPS mode, random data provided by the application via RAND_add()
-     * is not considered a trusted entropy source. It is only treated as
-     * additional_data and no reseeding is forced. This test assures that
-     * no reseeding occurs.
-     */
-    before_reseed = time(NULL);
-    RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
-    if (!TEST_true(test_drbg_reseed(1,
-                                    primary, public, private,
-                                    NULL, NULL,
-                                    0, 0, 0,
-                                    before_reseed)))
-        goto error;
-#endif

    rv = 1;

@ -822,7 +811,7 @@ static int test_rand_prediction_resistance(void)
    unsigned char buf1[51], buf2[sizeof(buf1)];
    int ret = 0, xreseed, yreseed, zreseed;

-    if (crngt_skip())
+    if (using_fips_rng())
        return TEST_skip("CRNGT cannot be disabled");

    /* Initialise a three long DRBG chain */