2024-11-25 20:46:04 +01:00
|
|
|
From b4b25bff66035883a47ea9227abc1ffe207a31a8 Mon Sep 17 00:00:00 2001
|
2024-11-15 13:59:00 +01:00
|
|
|
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
|
|
|
Date: Wed, 6 Nov 2024 13:17:54 +0100
|
|
|
|
Subject: [PATCH] fips update: provide test for dynamic service indicator
|
|
|
|
|
|
|
|
Add a sub-test to the fips_test using the ica_allow_external_gcm_iv_in_fips_mode
|
|
|
|
API to allow and forbid an external GCM IV. Depending on whether the application
|
|
|
|
allows or forbids external IVs, the service indicator changes dynamically.
|
|
|
|
|
|
|
|
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
|
|
|
---
|
|
|
|
test/fips_test.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
|
1 file changed, 62 insertions(+)
|
|
|
|
|
|
|
|
diff --git a/test/fips_test.c b/test/fips_test.c
|
|
|
|
index 2bd3d40..873c4b0 100644
|
|
|
|
--- a/test/fips_test.c
|
|
|
|
+++ b/test/fips_test.c
|
|
|
|
@@ -13,6 +13,64 @@
|
|
|
|
|
|
|
|
#define FIPS_FLAG "/proc/sys/crypto/fips_enabled"
|
|
|
|
|
|
|
|
+#ifdef ICA_FIPS
|
|
|
|
+static int test_gcm_iv_usage(void)
|
|
|
|
+{
|
|
|
|
+ libica_fips_indicator_element *fips_list = NULL;
|
|
|
|
+ unsigned int rc, i, fips_len, allow;
|
|
|
|
+ unsigned int approved_expected, override_expected;
|
|
|
|
+
|
|
|
|
+ for (allow = 0; allow < 2; allow++) {
|
|
|
|
+
|
|
|
|
+ approved_expected = allow == 1 ? 0 : 1;
|
|
|
|
+ override_expected = allow == 1 ? 1 : 0;
|
|
|
|
+
|
|
|
|
+ /* Check allowance of an external iv in fips mode */
|
|
|
|
+ ica_allow_external_gcm_iv_in_fips_mode(allow);
|
|
|
|
+
|
|
|
|
+ /* Get fips indicator list */
|
|
|
|
+ if (ica_get_fips_indicator(NULL, &fips_len) != 0){
|
|
|
|
+ printf("get_fips_indicator failed\n");
|
|
|
|
+ rc = EXIT_FAILURE;
|
|
|
|
+ goto done;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ fips_list = malloc(sizeof(libica_fips_indicator_element)*fips_len);
|
|
|
|
+ if (!fips_list) {
|
|
|
|
+ printf("malloc fips_indicator list failed\n");
|
|
|
|
+ rc = EXIT_FAILURE;
|
|
|
|
+ goto done;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ if (ica_get_fips_indicator(fips_list, &fips_len) != 0){
|
|
|
|
+ printf("ica_get_fips_indicator failed\n");
|
|
|
|
+ free(fips_list);
|
|
|
|
+ rc = EXIT_FAILURE;
|
|
|
|
+ goto done;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ for (i = 0; i < fips_len; i++) {
|
|
|
|
+ if (fips_list[i].mech_mode_id == AES_GCM ||
|
|
|
|
+ fips_list[i].mech_mode_id == AES_GCM_KMA) {
|
|
|
|
+ if (fips_list[i].fips_approved != approved_expected ||
|
|
|
|
+ fips_list[i].fips_override != override_expected) {
|
|
|
|
+ rc = EXIT_FAILURE;
|
|
|
|
+ free(fips_list);
|
|
|
|
+ goto done;
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ free(fips_list);
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
+ rc = 0;
|
|
|
|
+
|
|
|
|
+done:
|
|
|
|
+ return rc;
|
|
|
|
+}
|
|
|
|
+#endif /* ICA_FIPS */
|
|
|
|
+
|
|
|
|
int
|
|
|
|
main(void)
|
|
|
|
{
|
|
|
|
@@ -68,6 +126,10 @@ main(void)
|
|
|
|
printf("Libica FIPS integrity check failed.\n");
|
|
|
|
rv = EXIT_FAILURE;
|
|
|
|
}
|
|
|
|
+ if (test_gcm_iv_usage()) {
|
|
|
|
+ printf("Libica FIPS gcm iv usage check failed.\n");
|
|
|
|
+ rv = EXIT_FAILURE;
|
|
|
|
+ }
|
|
|
|
#endif /* ICA_FIPS */
|
|
|
|
|
|
|
|
printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT);
|