diff options
author | Matt Caswell <matt@openssl.org> | 2021-07-27 16:36:41 +0100 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2021-07-28 10:35:06 +1000 |
commit | ca7cac886b0f1084acfe2e07135acd212415e2bd (patch) | |
tree | b4a4015ebcca2bdc158544456b0d762499f6c009 /test/defltfips_test.c | |
parent | 589fbc18aa5e72b2574a71d69c09b4f63f0ae943 (diff) |
Add some testing for the case where the FIPS provider fails to load
Ensure we get correct behaviour in the event that an attempt is made
to load the fips provider but it fails to load.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16168)
Diffstat (limited to 'test/defltfips_test.c')
-rw-r--r-- | test/defltfips_test.c | 39 |
1 files changed, 28 insertions, 11 deletions
diff --git a/test/defltfips_test.c b/test/defltfips_test.c index 21c5e1524d..8b6dc0d6f1 100644 --- a/test/defltfips_test.c +++ b/test/defltfips_test.c @@ -4,6 +4,7 @@ #include "testutil.h" static int is_fips; +static int bad_fips; static int test_is_fips_enabled(void) { @@ -24,8 +25,8 @@ static int test_is_fips_enabled(void) * on the default properties. However we only set those properties if also * loading the FIPS provider. */ - if (!TEST_int_eq(is_fips, is_fips_enabled) - || !TEST_int_eq(is_fips, is_fips_loaded)) + if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled) + || !TEST_int_eq(is_fips && !bad_fips, is_fips_loaded)) return 0; /* @@ -33,19 +34,26 @@ static int test_is_fips_enabled(void) * expected provider. */ sha256 = EVP_MD_fetch(NULL, "SHA2-256", NULL); - if (!TEST_ptr(sha256)) - return 0; - if (is_fips - && !TEST_str_eq(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(sha256)), - "fips")) { + if (bad_fips) { + if (!TEST_ptr_null(sha256)) { + EVP_MD_free(sha256); + return 0; + } + } else { + if (!TEST_ptr(sha256)) + return 0; + if (is_fips + && !TEST_str_eq(OSSL_PROVIDER_get0_name(EVP_MD_get0_provider(sha256)), + "fips")) { + EVP_MD_free(sha256); + return 0; + } EVP_MD_free(sha256); - return 0; } - EVP_MD_free(sha256); /* State should still be consistent */ is_fips_enabled = EVP_default_properties_is_fips_enabled(NULL); - if (!TEST_int_eq(is_fips, is_fips_enabled)) + if (!TEST_int_eq(is_fips || bad_fips, is_fips_enabled)) return 0; return 1; @@ -54,6 +62,7 @@ static int test_is_fips_enabled(void) int setup_tests(void) { size_t argc; + char *arg1; if (!test_skip_common_options()) { TEST_error("Error parsing test options\n"); @@ -64,10 +73,18 @@ int setup_tests(void) switch(argc) { case 0: is_fips = 0; + bad_fips = 0; break; case 1: - if (strcmp(test_get_argument(0), "fips") == 0) { + arg1 = test_get_argument(0); + if (strcmp(arg1, "fips") == 0) { is_fips = 1; + bad_fips = 0; + break; + } else if (strcmp(arg1, "badfips") == 0) { + /* Configured for FIPS, but the module fails to load */ + is_fips = 0; + bad_fips = 1; break; } /* fall through */ |