libica/libica-04-fips-update-provide-test-for-dynamic-service-indicator.patch

95 lines
2.5 KiB
Diff
Raw Permalink Normal View History

From b4b25bff66035883a47ea9227abc1ffe207a31a8 Mon Sep 17 00:00:00 2001
From: Joerg Schmidbauer <jschmidb@de.ibm.com>
Date: Wed, 6 Nov 2024 13:17:54 +0100
Subject: [PATCH] fips update: provide test for dynamic service indicator
Add a sub-test to the fips_test using the ica_allow_external_gcm_iv_in_fips_mode
API to allow and forbid an external GCM IV. Depending on whether the application
allows or forbids external IVs, the service indicator changes dynamically.
Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
---
test/fips_test.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 62 insertions(+)
diff --git a/test/fips_test.c b/test/fips_test.c
index 2bd3d40..873c4b0 100644
--- a/test/fips_test.c
+++ b/test/fips_test.c
@@ -13,6 +13,64 @@
#define FIPS_FLAG "/proc/sys/crypto/fips_enabled"
+#ifdef ICA_FIPS
+static int test_gcm_iv_usage(void)
+{
+ libica_fips_indicator_element *fips_list = NULL;
+ unsigned int rc, i, fips_len, allow;
+ unsigned int approved_expected, override_expected;
+
+ for (allow = 0; allow < 2; allow++) {
+
+ approved_expected = allow == 1 ? 0 : 1;
+ override_expected = allow == 1 ? 1 : 0;
+
+ /* Check allowance of an external iv in fips mode */
+ ica_allow_external_gcm_iv_in_fips_mode(allow);
+
+ /* Get fips indicator list */
+ if (ica_get_fips_indicator(NULL, &fips_len) != 0){
+ printf("get_fips_indicator failed\n");
+ rc = EXIT_FAILURE;
+ goto done;
+ }
+
+ fips_list = malloc(sizeof(libica_fips_indicator_element)*fips_len);
+ if (!fips_list) {
+ printf("malloc fips_indicator list failed\n");
+ rc = EXIT_FAILURE;
+ goto done;
+ }
+
+ if (ica_get_fips_indicator(fips_list, &fips_len) != 0){
+ printf("ica_get_fips_indicator failed\n");
+ free(fips_list);
+ rc = EXIT_FAILURE;
+ goto done;
+ }
+
+ for (i = 0; i < fips_len; i++) {
+ if (fips_list[i].mech_mode_id == AES_GCM ||
+ fips_list[i].mech_mode_id == AES_GCM_KMA) {
+ if (fips_list[i].fips_approved != approved_expected ||
+ fips_list[i].fips_override != override_expected) {
+ rc = EXIT_FAILURE;
+ free(fips_list);
+ goto done;
+ }
+ }
+ }
+
+ free(fips_list);
+ }
+
+ rc = 0;
+
+done:
+ return rc;
+}
+#endif /* ICA_FIPS */
+
int
main(void)
{
@@ -68,6 +126,10 @@ main(void)
printf("Libica FIPS integrity check failed.\n");
rv = EXIT_FAILURE;
}
+ if (test_gcm_iv_usage()) {
+ printf("Libica FIPS gcm iv usage check failed.\n");
+ rv = EXIT_FAILURE;
+ }
#endif /* ICA_FIPS */
printf("OpenSSL version is '%s'.\n", OPENSSL_VERSION_TEXT);