1*e7b1675dSTing-Kang Chang // Copyright 2021 Google LLC
2*e7b1675dSTing-Kang Chang //
3*e7b1675dSTing-Kang Chang // Licensed under the Apache License, Version 2.0 (the "License");
4*e7b1675dSTing-Kang Chang // you may not use this file except in compliance with the License.
5*e7b1675dSTing-Kang Chang // You may obtain a copy of the License at
6*e7b1675dSTing-Kang Chang //
7*e7b1675dSTing-Kang Chang // http://www.apache.org/licenses/LICENSE-2.0
8*e7b1675dSTing-Kang Chang //
9*e7b1675dSTing-Kang Chang // Unless required by applicable law or agreed to in writing, software
10*e7b1675dSTing-Kang Chang // distributed under the License is distributed on an "AS IS" BASIS,
11*e7b1675dSTing-Kang Chang // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12*e7b1675dSTing-Kang Chang // See the License for the specific language governing permissions and
13*e7b1675dSTing-Kang Chang // limitations under the License.
14*e7b1675dSTing-Kang Chang //
15*e7b1675dSTing-Kang Chang ///////////////////////////////////////////////////////////////////////////////
16*e7b1675dSTing-Kang Chang #include "tink/internal/fips_utils.h"
17*e7b1675dSTing-Kang Chang
18*e7b1675dSTing-Kang Chang #include "gmock/gmock.h"
19*e7b1675dSTing-Kang Chang #include "gtest/gtest.h"
20*e7b1675dSTing-Kang Chang #include "absl/status/status.h"
21*e7b1675dSTing-Kang Chang #include "openssl/crypto.h"
22*e7b1675dSTing-Kang Chang #include "tink/util/status.h"
23*e7b1675dSTing-Kang Chang #include "tink/util/test_matchers.h"
24*e7b1675dSTing-Kang Chang
25*e7b1675dSTing-Kang Chang namespace crypto {
26*e7b1675dSTing-Kang Chang namespace tink {
27*e7b1675dSTing-Kang Chang namespace internal {
28*e7b1675dSTing-Kang Chang namespace {
29*e7b1675dSTing-Kang Chang
30*e7b1675dSTing-Kang Chang using ::crypto::tink::test::IsOk;
31*e7b1675dSTing-Kang Chang using ::crypto::tink::test::StatusIs;
32*e7b1675dSTing-Kang Chang
33*e7b1675dSTing-Kang Chang class FipsIncompatible {
34*e7b1675dSTing-Kang Chang public:
35*e7b1675dSTing-Kang Chang static constexpr FipsCompatibility kFipsStatus = FipsCompatibility::kNotFips;
36*e7b1675dSTing-Kang Chang };
37*e7b1675dSTing-Kang Chang
38*e7b1675dSTing-Kang Chang class FipsCompatibleWithBoringCrypto {
39*e7b1675dSTing-Kang Chang public:
40*e7b1675dSTing-Kang Chang static constexpr FipsCompatibility kFipsStatus =
41*e7b1675dSTing-Kang Chang FipsCompatibility::kRequiresBoringCrypto;
42*e7b1675dSTing-Kang Chang };
43*e7b1675dSTing-Kang Chang
TEST(FipsUtilsTest,CompatibilityInNonFipsMode)44*e7b1675dSTing-Kang Chang TEST(FipsUtilsTest, CompatibilityInNonFipsMode) {
45*e7b1675dSTing-Kang Chang if (kUseOnlyFips) {
46*e7b1675dSTing-Kang Chang GTEST_SKIP() << "Not supported in FIPS-only mode";
47*e7b1675dSTing-Kang Chang }
48*e7b1675dSTing-Kang Chang
49*e7b1675dSTing-Kang Chang EXPECT_THAT(CheckFipsCompatibility<FipsIncompatible>(), IsOk());
50*e7b1675dSTing-Kang Chang EXPECT_THAT(CheckFipsCompatibility<FipsCompatibleWithBoringCrypto>(), IsOk());
51*e7b1675dSTing-Kang Chang }
52*e7b1675dSTing-Kang Chang
TEST(FipsUtilsTest,CompatibilityInFipsMode)53*e7b1675dSTing-Kang Chang TEST(FipsUtilsTest, CompatibilityInFipsMode) {
54*e7b1675dSTing-Kang Chang if (!kUseOnlyFips || !IsFipsEnabledInSsl()) {
55*e7b1675dSTing-Kang Chang GTEST_SKIP()
56*e7b1675dSTing-Kang Chang << "Test should only run in FIPS mode with Boringcrypto available.";
57*e7b1675dSTing-Kang Chang }
58*e7b1675dSTing-Kang Chang
59*e7b1675dSTing-Kang Chang EXPECT_THAT(CheckFipsCompatibility<FipsIncompatible>(),
60*e7b1675dSTing-Kang Chang StatusIs(absl::StatusCode::kInternal));
61*e7b1675dSTing-Kang Chang EXPECT_THAT(CheckFipsCompatibility<FipsCompatibleWithBoringCrypto>(), IsOk());
62*e7b1675dSTing-Kang Chang }
63*e7b1675dSTing-Kang Chang
TEST(TinkFipsTest,CompatibilityInFipsModeWithoutBoringCrypto)64*e7b1675dSTing-Kang Chang TEST(TinkFipsTest, CompatibilityInFipsModeWithoutBoringCrypto) {
65*e7b1675dSTing-Kang Chang if (!kUseOnlyFips || IsFipsEnabledInSsl()) {
66*e7b1675dSTing-Kang Chang GTEST_SKIP() << "Test only run if BoringCrypto module is not available.";
67*e7b1675dSTing-Kang Chang }
68*e7b1675dSTing-Kang Chang
69*e7b1675dSTing-Kang Chang // In FIPS only mode compatibility checks should disallow algorithms
70*e7b1675dSTing-Kang Chang // with the FipsCompatibility::kNone flag.
71*e7b1675dSTing-Kang Chang EXPECT_THAT(CheckFipsCompatibility<FipsIncompatible>(),
72*e7b1675dSTing-Kang Chang StatusIs(absl::StatusCode::kInternal));
73*e7b1675dSTing-Kang Chang
74*e7b1675dSTing-Kang Chang // FIPS validated implementations are not allowed if BoringCrypto is not
75*e7b1675dSTing-Kang Chang // available.
76*e7b1675dSTing-Kang Chang EXPECT_THAT(CheckFipsCompatibility<FipsCompatibleWithBoringCrypto>(),
77*e7b1675dSTing-Kang Chang StatusIs(absl::StatusCode::kInternal));
78*e7b1675dSTing-Kang Chang }
79*e7b1675dSTing-Kang Chang
80*e7b1675dSTing-Kang Chang } // namespace
81*e7b1675dSTing-Kang Chang } // namespace internal
82*e7b1675dSTing-Kang Chang } // namespace tink
83*e7b1675dSTing-Kang Chang } // namespace crypto
84