mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-30 14:01:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Runtime detect FIPS RNG usage in test

Browse Source 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19237)
This commit is contained in:
Pauli 2022-09-19 10:47:06 +10:00
parent 3fd255acb7
commit c91f972c9f
1 changed files with 18 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
test/drbgtest.c
View File

@ -132,15 +132,23 @@ static time_t reseed_time(EVP_RAND_CTX *drbg)
/* /*
* When building the FIPS module, it isn't possible to disable the continuous * When building the FIPS module, it isn't possible to disable the continuous
* RNG tests. Tests that require this are skipped. * RNG tests. Tests that require this are skipped and this means a detection
* mechanism for the FIPS provider being in use.
*/ */
static int crngt_skip(void) static int using_fips_rng(void)
{ {
#ifdef FIPS_MODULE EVP_RAND_CTX *primary = RAND_get0_primary(NULL);
return 1; const OSSL_PROVIDER *prov;
#else const char *name;
if (!TEST_ptr(primary))
return 0; return 0;
#endif
prov = EVP_RAND_get0_provider(EVP_RAND_CTX_get0_rand(primary));
if (!TEST_ptr(prov))
return 0;
name = OSSL_PROVIDER_get0_name(prov);
return strcmp(name, "OpenSSL FIPS Provider") == 0;
} }
/* /*
@ -550,7 +558,7 @@ static int test_rand_reseed(void)
int rv = 0; int rv = 0;
time_t before_reseed; time_t before_reseed;
if (crngt_skip()) if (using_fips_rng())
return TEST_skip("CRNGT cannot be disabled"); return TEST_skip("CRNGT cannot be disabled");
#ifndef OPENSSL_NO_DEPRECATED_3_0 #ifndef OPENSSL_NO_DEPRECATED_3_0
@ -582,7 +590,6 @@ static int test_rand_reseed(void)
EVP_RAND_uninstantiate(private); EVP_RAND_uninstantiate(private);
EVP_RAND_uninstantiate(public); EVP_RAND_uninstantiate(public);
/* /*
* Test initial seeding of shared DRBGs * Test initial seeding of shared DRBGs
*/ */
@ -592,7 +599,6 @@ static int test_rand_reseed(void)
1, 1, 1, 0))) 1, 1, 1, 0)))
goto error; goto error;
/* /*
* Test initial state of shared DRBGs * Test initial state of shared DRBGs
*/ */
@ -640,7 +646,6 @@ static int test_rand_reseed(void)
/* fill 'randomness' buffer with some arbitrary data */ /* fill 'randomness' buffer with some arbitrary data */
memset(rand_add_buf, 'r', sizeof(rand_add_buf)); memset(rand_add_buf, 'r', sizeof(rand_add_buf));
#ifndef FIPS_MODULE
/* /*
* Test whether all three DRBGs are reseeded by RAND_add(). * Test whether all three DRBGs are reseeded by RAND_add().
* The before_reseed time has to be measured here and passed into the * The before_reseed time has to be measured here and passed into the
@ -657,22 +662,6 @@ static int test_rand_reseed(void)
1, 1, 1, 1, 1, 1,
before_reseed))) before_reseed)))
goto error; goto error;
#else /* FIPS_MODULE */
/*
* In FIPS mode, random data provided by the application via RAND_add()
* is not considered a trusted entropy source. It is only treated as
* additional_data and no reseeding is forced. This test assures that
* no reseeding occurs.
*/
before_reseed = time(NULL);
RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
if (!TEST_true(test_drbg_reseed(1,
primary, public, private,
NULL, NULL,
0, 0, 0,
before_reseed)))
goto error;
#endif
rv = 1; rv = 1;
@ -822,7 +811,7 @@ static int test_rand_prediction_resistance(void)
unsigned char buf1[51], buf2[sizeof(buf1)]; unsigned char buf1[51], buf2[sizeof(buf1)];
int ret = 0, xreseed, yreseed, zreseed; int ret = 0, xreseed, yreseed, zreseed;
if (crngt_skip()) if (using_fips_rng())
return TEST_skip("CRNGT cannot be disabled"); return TEST_skip("CRNGT cannot be disabled");
/* Initialise a three long DRBG chain */ /* Initialise a three long DRBG chain */