diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2020-09-05 05:08:27 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2020-09-18 15:20:50 +0200 |
| commit | 991a6bb58182d4d2077a68eb813c897b7de73462 (patch) | |
| tree | 738fc724534be090323181dc445cf19e442b827c /test/evp_test.c | |
| parent | Add 'fips-securitychecks' option and plumb this into the actual fips checks (diff) | |
| download | openssl-991a6bb58182d4d2077a68eb813c897b7de73462.tar.xz openssl-991a6bb58182d4d2077a68eb813c897b7de73462.zip | |
Add option to fipsinstall to disable fips security checks at run time.
Changes merged from a patch by @richsalz.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12745)
Diffstat (limited to 'test/evp_test.c')
| -rw-r--r-- | test/evp_test.c | 40 |
1 files changed, 36 insertions, 4 deletions
diff --git a/test/evp_test.c b/test/evp_test.c index 14ea4a8496..a146f4726f 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -21,6 +21,7 @@ #include <openssl/kdf.h> #include <openssl/params.h> #include <openssl/core_names.h> +#include <openssl/fips_names.h> #include "internal/numbers.h" #include "internal/nelem.h" #include "crypto/evp.h" @@ -3286,6 +3287,33 @@ static char *take_value(PAIR *pp) return p; } +static int securitycheck_enabled(void) +{ + static int enabled = -1; + + if (enabled == -1) { + if (OSSL_PROVIDER_available(libctx, "fips")) { + OSSL_PARAM params[2]; + OSSL_PROVIDER *prov = NULL; + int check = 1; + + prov = OSSL_PROVIDER_load(libctx, "fips"); + if (prov != NULL) { + params[0] = + OSSL_PARAM_construct_int(OSSL_PROV_PARAM_SECURITY_CHECKS, + &check); + params[1] = OSSL_PARAM_construct_end(); + OSSL_PROVIDER_get_params(prov, params); + OSSL_PROVIDER_unload(prov); + } + enabled = check; + return enabled; + } + enabled = 0; + } + return enabled; +} + /* * Return 1 if one of the providers named in the string is available. * The provider names are separated with whitespace. @@ -3445,11 +3473,15 @@ start: for (pp++, i = 1; i < (t->s.numpairs - skip_availablein); pp++, i++) { if (strcmp(pp->key, "Securitycheck") == 0) { #if defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - TEST_info("skipping, securitycheck is not available: %s:%d", - t->s.test_file, t->s.start); - t->skip = 1; - return 0; +#else + if (!securitycheck_enabled()) #endif + { + TEST_info("skipping, Securitycheck is disabled: %s:%d", + t->s.test_file, t->s.start); + t->skip = 1; + return 0; + } } else if (strcmp(pp->key, "Availablein") == 0) { TEST_info("Line %d: 'Availablein' should be the first option", t->s.curr); |