int global_init(void);
int setup_tests(void);
void cleanup_tests(void);
+
+/*
+ * Helper functions to detect specific versions of the FIPS provider being in use.
+ * Because of FIPS rules, code changes after a module has been validated are
+ * difficult and because we provide an hard guarantee of ABI and behavioural
+ * stability going forwards, it is a requirement to have tests be conditional
+ * on specific FIPS provider versions. Without this, bug fixes cannot be tested
+ * in later releases.
+ *
+ * The reason for not including e.g. a less than test is to help avoid any
+ * temptation to use FIPS provider version numbers that don't exist. Until the
+ * `new' provider is validated, its version isn't set in stone. Thus a change
+ * in test behaviour must depend on already validated module versions only.
+ *
+ * In all cases, the function returns true if:
+ * 1. the FIPS provider version matches the criteria specified or
+ * 2. the FIPS provider isn't being used.
+ */
+int fips_provider_version_eq(OSSL_LIB_CTX *libctx, int major, int minor, int patch);
+int fips_provider_version_ne(OSSL_LIB_CTX *libctx, int major, int minor, int patch);
+int fips_provider_version_le(OSSL_LIB_CTX *libctx, int major, int minor, int patch);
+int fips_provider_version_gt(OSSL_LIB_CTX *libctx, int major, int minor, int patch);
+
/*
* Used to supply test specific command line options,
* If non optional parameters are used, then the first entry in the OPTIONS[]
#include "../testutil.h"
#include <openssl/provider.h>
+#include <openssl/core_names.h>
#include <string.h>
int test_get_libctx(OSSL_LIB_CTX **libctx, OSSL_PROVIDER **default_null_prov,
return test_get_libctx(libctx, default_null_prov,
test_get_argument(argn + 1), provider, module_name);
}
+
+typedef struct {
+ int major, minor, patch;
+} FIPS_VERSION;
+
+/*
+ * Query the FIPS provider to determine it's version number.
+ * Returns 1 if the version is retrieved correctly, 0 if the FIPS provider isn't
+ * loaded and -1 on error.
+ */
+static int fips_provider_version(OSSL_LIB_CTX *libctx, FIPS_VERSION *vers)
+{
+ OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+ OSSL_PROVIDER *fips_prov;
+ char *vs;
+
+ if (!OSSL_PROVIDER_available(libctx, "fips"))
+ return 0;
+ *params = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION, &vs, 0);
+ if ((fips_prov = OSSL_PROVIDER_load(libctx, "fips")) == NULL)
+ return -1;
+ if (!OSSL_PROVIDER_get_params(fips_prov, params)
+ || sscanf(vs, "%d.%d.%d", &vers->major, &vers->minor, &vers->patch) != 3)
+ goto err;
+ if (!OSSL_PROVIDER_unload(fips_prov))
+ return -1; /* WTF do we do here??? */
+ return 1;
+ err:
+ OSSL_PROVIDER_unload(fips_prov);
+ return -1;
+}
+
+int fips_provider_version_eq(OSSL_LIB_CTX *libctx, int major, int minor, int patch)
+{
+ FIPS_VERSION prov;
+ int res;
+
+ if ((res = fips_provider_version(libctx, &prov)) <= 0)
+ return res == 0;
+ return major == prov.major && minor == prov.minor && patch == prov.patch;
+}
+
+int fips_provider_version_ne(OSSL_LIB_CTX *libctx, int major, int minor, int patch)
+{
+ FIPS_VERSION prov;
+ int res;
+
+ if ((res = fips_provider_version(libctx, &prov)) <= 0)
+ return res == 0;
+ return major != prov.major || minor != prov.minor || patch != prov.patch;
+}
+
+int fips_provider_version_le(OSSL_LIB_CTX *libctx, int major, int minor, int patch)
+{
+ FIPS_VERSION prov;
+ int res;
+
+ if ((res = fips_provider_version(libctx, &prov)) <= 0)
+ return res == 0;
+ return prov.major < major
+ || (prov.major == major
+ && (prov.minor < minor
+ || (prov.minor == minor && prov.patch <= patch)));
+}
+
+int fips_provider_version_gt(OSSL_LIB_CTX *libctx, int major, int minor, int patch)
+{
+ FIPS_VERSION prov;
+ int res;
+
+ if ((res = fips_provider_version(libctx, &prov)) <= 0)
+ return res == 0;
+ return prov.major > major
+ || (prov.major == major
+ && (prov.minor > minor
+ || (prov.minor == minor && prov.patch > patch)));
+}
projects / openssl.git / commitdiff