mirror of
https://github.com/openssl/openssl.git
synced 2025-01-18 13:44:20 +08:00
Runtime detect FIPS RNG usage in test
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19237)
This commit is contained in:
parent
3fd255acb7
commit
c91f972c9f
@ -132,15 +132,23 @@ static time_t reseed_time(EVP_RAND_CTX *drbg)
|
||||
|
||||
/*
|
||||
* When building the FIPS module, it isn't possible to disable the continuous
|
||||
* RNG tests. Tests that require this are skipped.
|
||||
* RNG tests. Tests that require this are skipped and this means a detection
|
||||
* mechanism for the FIPS provider being in use.
|
||||
*/
|
||||
static int crngt_skip(void)
|
||||
static int using_fips_rng(void)
|
||||
{
|
||||
#ifdef FIPS_MODULE
|
||||
return 1;
|
||||
#else
|
||||
EVP_RAND_CTX *primary = RAND_get0_primary(NULL);
|
||||
const OSSL_PROVIDER *prov;
|
||||
const char *name;
|
||||
|
||||
if (!TEST_ptr(primary))
|
||||
return 0;
|
||||
#endif
|
||||
|
||||
prov = EVP_RAND_get0_provider(EVP_RAND_CTX_get0_rand(primary));
|
||||
if (!TEST_ptr(prov))
|
||||
return 0;
|
||||
name = OSSL_PROVIDER_get0_name(prov);
|
||||
return strcmp(name, "OpenSSL FIPS Provider") == 0;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -550,7 +558,7 @@ static int test_rand_reseed(void)
|
||||
int rv = 0;
|
||||
time_t before_reseed;
|
||||
|
||||
if (crngt_skip())
|
||||
if (using_fips_rng())
|
||||
return TEST_skip("CRNGT cannot be disabled");
|
||||
|
||||
#ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
@ -582,7 +590,6 @@ static int test_rand_reseed(void)
|
||||
EVP_RAND_uninstantiate(private);
|
||||
EVP_RAND_uninstantiate(public);
|
||||
|
||||
|
||||
/*
|
||||
* Test initial seeding of shared DRBGs
|
||||
*/
|
||||
@ -592,7 +599,6 @@ static int test_rand_reseed(void)
|
||||
1, 1, 1, 0)))
|
||||
goto error;
|
||||
|
||||
|
||||
/*
|
||||
* Test initial state of shared DRBGs
|
||||
*/
|
||||
@ -640,7 +646,6 @@ static int test_rand_reseed(void)
|
||||
/* fill 'randomness' buffer with some arbitrary data */
|
||||
memset(rand_add_buf, 'r', sizeof(rand_add_buf));
|
||||
|
||||
#ifndef FIPS_MODULE
|
||||
/*
|
||||
* Test whether all three DRBGs are reseeded by RAND_add().
|
||||
* The before_reseed time has to be measured here and passed into the
|
||||
@ -657,22 +662,6 @@ static int test_rand_reseed(void)
|
||||
1, 1, 1,
|
||||
before_reseed)))
|
||||
goto error;
|
||||
#else /* FIPS_MODULE */
|
||||
/*
|
||||
* In FIPS mode, random data provided by the application via RAND_add()
|
||||
* is not considered a trusted entropy source. It is only treated as
|
||||
* additional_data and no reseeding is forced. This test assures that
|
||||
* no reseeding occurs.
|
||||
*/
|
||||
before_reseed = time(NULL);
|
||||
RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
|
||||
if (!TEST_true(test_drbg_reseed(1,
|
||||
primary, public, private,
|
||||
NULL, NULL,
|
||||
0, 0, 0,
|
||||
before_reseed)))
|
||||
goto error;
|
||||
#endif
|
||||
|
||||
rv = 1;
|
||||
|
||||
@ -822,7 +811,7 @@ static int test_rand_prediction_resistance(void)
|
||||
unsigned char buf1[51], buf2[sizeof(buf1)];
|
||||
int ret = 0, xreseed, yreseed, zreseed;
|
||||
|
||||
if (crngt_skip())
|
||||
if (using_fips_rng())
|
||||
return TEST_skip("CRNGT cannot be disabled");
|
||||
|
||||
/* Initialise a three long DRBG chain */
|
||||
|
Loading…
Reference in New Issue
Block a user