Add unit tests for the TEST-RAND FIPS indicator

Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/24851)
2025-01-24 13:55:42 +08:00 · 2024-07-11 10:54:05 +10:00 · 2024-07-11 10:54:05 +10:00 · df32ba9e92
commit df32ba9e92
parent 924321a519
2 changed files with 30 additions and 3 deletions
--- a/test/rand_test.c
+++ b/test/rand_test.c
@ -17,6 +17,8 @@
 static int test_rand(void)
 {
    EVP_RAND_CTX *privctx;
+    const OSSL_PROVIDER *prov;
+    int indicator = 1;
    OSSL_PARAM params[2], *p = params;
    unsigned char entropy1[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05 };
    unsigned char entropy2[] = { 0xff, 0xfe, 0xfd };
@ -42,6 +44,17 @@ static int test_rand(void)
            || !TEST_int_gt(RAND_priv_bytes(outbuf, sizeof(outbuf)), 0)
            || !TEST_mem_eq(outbuf, sizeof(outbuf), entropy2, sizeof(outbuf)))
        return 0;
+
+    /* Verify that the FIPS indicator can be read and is false */
+    prov = EVP_RAND_get0_provider(EVP_RAND_CTX_get0_rand(privctx));
+    if (prov != NULL
+            && strcmp(OSSL_PROVIDER_get0_name(prov), "fips") == 0) {
+        params[0] = OSSL_PARAM_construct_int(OSSL_RAND_PARAM_FIPS_APPROVED_INDICATOR,
+                                             &indicator);
+        if (!TEST_true(EVP_RAND_CTX_get_params(privctx, params))
+                || !TEST_int_eq(indicator, 0))
+            return 0;
+    }
    return 1;
 }

@ -78,8 +91,14 @@ static int test_rand_uniform(void)

 int setup_tests(void)
 {
-    if (!TEST_true(RAND_set_DRBG_type(NULL, "TEST-RAND", NULL, NULL, NULL)))
+    char *configfile;
+
+    if (!TEST_ptr(configfile = test_get_argument(0))
+            || !TEST_true(RAND_set_DRBG_type(NULL, "TEST-RAND", "fips=no",
+                                             NULL, NULL))
+            || !TEST_true(OSSL_LIB_CTX_load_config(NULL, configfile)))
        return 0;
+
    ADD_TEST(test_rand);
    ADD_TEST(test_rand_uniform);
    return 1;
--- a/test/recipes/05-test_rand.t
+++ b/test/recipes/05-test_rand.t
@ -10,11 +10,19 @@ use strict;
 use warnings;
 use OpenSSL::Test;
 use OpenSSL::Test::Utils;
+use OpenSSL::Test qw/:DEFAULT srctop_file/;

-plan tests => 5;
+plan tests => 6;
 setup("test_rand");

-ok(run(test(["rand_test"])));
+ok(run(test(["rand_test", srctop_file("test", "default.cnf")])));
+
+SKIP: {
+    skip "Skipping FIPS test in this build", 1 if disabled('fips');
+
+    ok(run(test(["rand_test", srctop_file("test", "fips.cnf")])));
+}
+
 ok(run(test(["drbgtest"])));
 ok(run(test(["rand_status_test"])));