xref: /aosp_15_r20/external/tink/cc/internal/fips_utils_test.cc (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1 // Copyright 2021 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 #include "tink/internal/fips_utils.h"
17 
18 #include "gmock/gmock.h"
19 #include "gtest/gtest.h"
20 #include "absl/status/status.h"
21 #include "openssl/crypto.h"
22 #include "tink/util/status.h"
23 #include "tink/util/test_matchers.h"
24 
25 namespace crypto {
26 namespace tink {
27 namespace internal {
28 namespace {
29 
30 using ::crypto::tink::test::IsOk;
31 using ::crypto::tink::test::StatusIs;
32 
33 class FipsIncompatible {
34  public:
35   static constexpr FipsCompatibility kFipsStatus = FipsCompatibility::kNotFips;
36 };
37 
38 class FipsCompatibleWithBoringCrypto {
39  public:
40   static constexpr FipsCompatibility kFipsStatus =
41       FipsCompatibility::kRequiresBoringCrypto;
42 };
43 
TEST(FipsUtilsTest,CompatibilityInNonFipsMode)44 TEST(FipsUtilsTest, CompatibilityInNonFipsMode) {
45   if (kUseOnlyFips) {
46     GTEST_SKIP() << "Not supported in FIPS-only mode";
47   }
48 
49   EXPECT_THAT(CheckFipsCompatibility<FipsIncompatible>(), IsOk());
50   EXPECT_THAT(CheckFipsCompatibility<FipsCompatibleWithBoringCrypto>(), IsOk());
51 }
52 
TEST(FipsUtilsTest,CompatibilityInFipsMode)53 TEST(FipsUtilsTest, CompatibilityInFipsMode) {
54   if (!kUseOnlyFips || !IsFipsEnabledInSsl()) {
55     GTEST_SKIP()
56         << "Test should only run in FIPS mode with Boringcrypto available.";
57   }
58 
59   EXPECT_THAT(CheckFipsCompatibility<FipsIncompatible>(),
60               StatusIs(absl::StatusCode::kInternal));
61   EXPECT_THAT(CheckFipsCompatibility<FipsCompatibleWithBoringCrypto>(), IsOk());
62 }
63 
TEST(TinkFipsTest,CompatibilityInFipsModeWithoutBoringCrypto)64 TEST(TinkFipsTest, CompatibilityInFipsModeWithoutBoringCrypto) {
65   if (!kUseOnlyFips || IsFipsEnabledInSsl()) {
66     GTEST_SKIP() << "Test only run if BoringCrypto module is not available.";
67   }
68 
69   // In FIPS only mode compatibility checks should disallow algorithms
70   // with the FipsCompatibility::kNone flag.
71   EXPECT_THAT(CheckFipsCompatibility<FipsIncompatible>(),
72               StatusIs(absl::StatusCode::kInternal));
73 
74   // FIPS validated implementations are not allowed if BoringCrypto is not
75   // available.
76   EXPECT_THAT(CheckFipsCompatibility<FipsCompatibleWithBoringCrypto>(),
77               StatusIs(absl::StatusCode::kInternal));
78 }
79 
80 }  // namespace
81 }  // namespace internal
82 }  // namespace tink
83 }  // namespace crypto
84