From 9e1582dd059d69c86b6f323fadd87956b6034aab Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 6 Nov 2024 13:17:54 +0100
Subject: [PATCH] fips update: provide test for dynamic service indicator

Add a sub-test to the fips_test using the ica_allow_external_gcm_iv_in_fips_mode
API to allow and forbid an external GCM IV. Depending on whether the application
allows or forbids external IVs, the service indicator changes dynamically.

Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
 test/fips_test.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/test/fips_test.c b/test/fips_test.c
index 2bd3d40..873c4b0 100644
--- a/test/fips_test.c
+++ b/test/fips_test.c
@@ -13,6 +13,64 @@
 
 #define FIPS_FLAG "/proc/sys/crypto/fips_enabled"
 
+#ifdef ICA_FIPS
+static int test_gcm_iv_usage(void)
+{
+	libica_fips_indicator_element *fips_list = NULL;
+	unsigned int rc, i, fips_len, allow;
+	unsigned int approved_expected, override_expected;
+
+	for (allow = 0; allow < 2; allow++) {
+
+		approved_expected = allow == 1 ? 0 : 1;
+		override_expected = allow == 1 ? 1 : 0;
+
+		/* Check allowance of an external iv in fips mode */
+		ica_allow_external_gcm_iv_in_fips_mode(allow);
+
+		/* Get fips indicator list */
+		if (ica_get_fips_indicator(NULL, &fips_len) != 0){
+			printf("get_fips_indicator failed\n");
+			rc = EXIT_FAILURE;
+			goto done;
+		}
+
+		fips_list = malloc(sizeof(libica_fips_indicator_element)*fips_len);
+		if (!fips_list) {
+			printf("malloc fips_indicator list failed\n");
+			rc = EXIT_FAILURE;
+			goto done;
+		}
+
+		if (ica_get_fips_indicator(fips_list, &fips_len) != 0){
+			printf("ica_get_fips_indicator failed\n");
+			free(fips_list);
+			rc = EXIT_FAILURE;
+			goto done;
+		}
+
+		for (i = 0; i < fips_len; i++) {
+			if (fips_list[i].mech_mode_id == AES_GCM ||
+				fips_list[i].mech_mode_id == AES_GCM_KMA) {
+				if (fips_list[i].fips_approved != approved_expected ||
+					fips_list[i].fips_override != override_expected) {
+					rc = EXIT_FAILURE;
+					free(fips_list);
+					goto done;
+				}
+			}
+		}
+
+		free(fips_list);
+	}
+
+	rc = 0;
+
+done:
+	return rc;
+}
+#endif /* ICA_FIPS */
+
 int
 main(void)
 {
@@ -68,6 +126,10 @@ main(void)
 		printf("Libica FIPS integrity check failed.\n");
 		rv = EXIT_FAILURE;
 	}
+	if (test_gcm_iv_usage()) {
+		printf("Libica FIPS gcm iv usage check failed.\n");
+		rv = EXIT_FAILURE;
+	}
 #endif /* ICA_FIPS */
 
 	printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT);