Runtime detect FIPS RNG usage in test

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19237)

(cherry picked from commit c91f972c9fba61c5db761a49e13df4dadcba068a)

diff --git a/test/drbgtest.c b/test/drbgtest.c
index 58d53ac038e2c64e31cc111e4213ded6a09f75b9..a1a786218b2c8bc3a6f1cddbdd47aafc778e1457 100644 (file)
--- a/test/drbgtest.c
+++ b/test/drbgtest.c
@@ -132,15 +132,23 @@ static time_t reseed_time(EVP_RAND_CTX *drbg)
 
 /*
  * When building the FIPS module, it isn't possible to disable the continuous
- * RNG tests.  Tests that require this are skipped.
+ * RNG tests.  Tests that require this are skipped and this means a detection
+ * mechanism for the FIPS provider being in use.
  */
-static int crngt_skip(void)
+static int using_fips_rng(void)
 {
-#ifdef FIPS_MODULE
-    return 1;
-#else
-    return 0;
-#endif
+    EVP_RAND_CTX *primary = RAND_get0_primary(NULL);
+    const OSSL_PROVIDER *prov;
+    const char *name;
+
+    if (!TEST_ptr(primary))
+        return 0;
+
+    prov = EVP_RAND_get0_provider(EVP_RAND_CTX_get0_rand(primary));
+    if (!TEST_ptr(prov))
+        return 0;
+    name = OSSL_PROVIDER_get0_name(prov);
+    return strcmp(name, "OpenSSL FIPS Provider") == 0;
 }
 
  /*
@@ -540,7 +548,7 @@ static int test_rand_fork_safety(int i)
 
 /*
  * Test whether the default rand_method (RAND_OpenSSL()) is
- * setup correctly, in particular whether reseeding  works
+ * setup correctly, in particular whether reseeding works
  * as designed.
  */
 static int test_rand_reseed(void)
@@ -550,7 +558,7 @@ static int test_rand_reseed(void)
     int rv = 0;
     time_t before_reseed;
 
-    if (crngt_skip())
+    if (using_fips_rng())
         return TEST_skip("CRNGT cannot be disabled");
 
 #ifndef OPENSSL_NO_DEPRECATED_3_0
@@ -582,7 +590,6 @@ static int test_rand_reseed(void)
     EVP_RAND_uninstantiate(private);
     EVP_RAND_uninstantiate(public);
 
-
     /*
      * Test initial seeding of shared DRBGs
      */
@@ -592,7 +599,6 @@ static int test_rand_reseed(void)
                                     1, 1, 1, 0)))
         goto error;
 
-
     /*
      * Test initial state of shared DRBGs
      */
@@ -640,7 +646,6 @@ static int test_rand_reseed(void)
     /* fill 'randomness' buffer with some arbitrary data */
     memset(rand_add_buf, 'r', sizeof(rand_add_buf));
 
-#ifndef FIPS_MODULE
     /*
      * Test whether all three DRBGs are reseeded by RAND_add().
      * The before_reseed time has to be measured here and passed into the
@@ -657,22 +662,6 @@ static int test_rand_reseed(void)
                                     1, 1, 1,
                                     before_reseed)))
         goto error;
-#else /* FIPS_MODULE */
-    /*
-     * In FIPS mode, random data provided by the application via RAND_add()
-     * is not considered a trusted entropy source. It is only treated as
-     * additional_data and no reseeding is forced. This test assures that
-     * no reseeding occurs.
-     */
-    before_reseed = time(NULL);
-    RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
-    if (!TEST_true(test_drbg_reseed(1,
-                                    primary, public, private,
-                                    NULL, NULL,
-                                    0, 0, 0,
-                                    before_reseed)))
-        goto error;
-#endif
 
     rv = 1;
 
@@ -822,7 +811,7 @@ static int test_rand_prediction_resistance(void)
     unsigned char buf1[51], buf2[sizeof(buf1)];
     int ret = 0, xreseed, yreseed, zreseed;
 
-    if (crngt_skip())
+    if (using_fips_rng())
         return TEST_skip("CRNGT cannot be disabled");
 
     /* Initialise a three long DRBG chain */