add SetFIPS tests

golang-fips · Nov 13, 2024 · e9d0955 · e9d0955
1 parent 5c35ebd
commit e9d0955
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 3 deletions.
diff --git a/export_test.go b/export_test.go
@@ -5,8 +5,13 @@ import "sync"
 var ErrOpen = errOpen
 
 var SymCryptProviderAvailable = sync.OnceValue(func() bool {
-	if vMajor == 1 {
-		return false
-	}
 	return isProviderAvailable("symcryptprovider")
 })
+
+var FIPSProviderAvailable = sync.OnceValue(func() bool {
+	return isProviderAvailable("fips")
+})
+
+var DefaultProviderAvailable = sync.OnceValue(func() bool {
+	return isProviderAvailable("default")
+})
diff --git a/openssl.go b/openssl.go
@@ -137,6 +137,9 @@ func FIPS() bool {
 // isProviderAvailable checks if the provider with the given name is available.
 // This function is used in export_test.go, but must be defined here as test files can't access C functions.
 func isProviderAvailable(name string) bool {
+	if vMajor == 1 {
+		return false
+	}
 	providerName := C.CString(name)
 	defer C.free(unsafe.Pointer(providerName))
 	return C.go_openssl_OSSL_PROVIDER_available(nil, providerName) == 1

diff --git a/openssl_test.go b/openssl_test.go
@@ -91,3 +91,45 @@ func compareCurrentVersion(v string) int {
 	ver := strings.TrimPrefix(runtime.Version(), "devel ")
 	return version.Compare(ver, v)
 }
+
+func TestSetFIPS(t *testing.T) {
+	fipsEnabled := openssl.FIPS()
+	t.Cleanup(func() {
+		// Restore the previous FIPS mode.
+		err := openssl.SetFIPS(fipsEnabled)
+		if err != nil {
+			t.Fatal(err)
+		}
+	})
+
+	if err := openssl.SetFIPS(fipsEnabled); err != nil {
+		// Test that we can set FIPS mode to the current state
+		// without error.
+		t.Fatalf("SetFIPS(%v) failed: %v", fipsEnabled, err)
+	}
+	if got := openssl.FIPS(); got != fipsEnabled {
+		// Test that the FIPS mode hasn't been changed by the
+		// previous SetFIPS call.
+		t.Fatalf("FIPS mode mismatch: want %v, got %v", fipsEnabled, got)
+	}
+
+	if fipsEnabled &&
+		openssl.DefaultProviderAvailable() {
+		// Test that we can disable FIPS mode if it was enabled
+		// when the built-in provider is available.
+		err := openssl.SetFIPS(false)
+		if err != nil {
+			t.Fatalf("SetFIPS(false) failed: %v", err)
+		}
+	} else if !fipsEnabled &&
+		(openssl.SymCryptProviderAvailable() || openssl.FIPSProviderAvailable()) {
+		// Test that we can enable FIPS mode if it was disabled
+		// when the provider is known to support FIPS mode.
+		err := openssl.SetFIPS(true)
+		if err != nil {
+			t.Fatalf("SetFIPS(true) failed: %v", err)
+		}
+	} else {
+		t.Skip("FIPS mode is not supported")
+	}
+}