Support test run in kernel FIPS mode.

diff --git a/tests/api-test.c b/tests/api-test.c
index d54e9a5..3ccfa73 100644 (file)
--- a/tests/api-test.c
+++ b/tests/api-test.c
@@ -84,6 +84,7 @@
 
 static int _debug   = 0;
 static int _verbose = 1;
+static int _fips_mode = 0;
 
 static char global_log[4096];
 static int global_lines = 0;
@@ -114,6 +115,24 @@ static int device_size(const char *device, uint64_t *size)
        return r;
 }
 
+static int fips_mode(void)
+{
+       int fd;
+       char buf = 0;
+
+       fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
+
+       if (fd < 0)
+               return 0;
+
+       if (read(fd, &buf, 1) != 1)
+               buf = '0';
+
+       close(fd);
+
+       return (buf == '1');
+}
+
 static int get_luks_offsets(int metadata_device,
                            size_t keylength,
                            unsigned int alignpayload_sec,
@@ -451,6 +470,11 @@ static int _setup(void)
 
        _system("modprobe dm-crypt", 0);
        _system("modprobe dm-verity", 0);
+
+       _fips_mode = fips_mode();
+       if (_debug)
+               printf("FIPS MODE: %d\n", _fips_mode);
+
        return 0;
 }
 
@@ -760,14 +784,16 @@ static void AddDevicePlain(void)
        EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
 
        // retrieve volume key check
-       memset(key2, 0, key_size);
-       key_size--;
-       // small buffer
-       FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)), "small buffer");
-       key_size++;
-       OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
-
-       OK_(memcmp(key, key2, key_size));
+       if (!_fips_mode) {
+               memset(key2, 0, key_size);
+               key_size--;
+               // small buffer
+               FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)), "small buffer");
+               key_size++;
+               OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
+
+               OK_(memcmp(key, key2, key_size));
+       }
        OK_(strcmp(cipher, crypt_get_cipher(cd)));
        OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
        EQ_((int)key_size, crypt_get_volume_key_size(cd));
@@ -899,16 +925,18 @@ static void UseLuksDevice(void)
        EQ_((int)key_size, crypt_get_volume_key_size(cd));
        EQ_(1032, crypt_get_data_offset(cd));
 
-       EQ_(0, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1)));
-       OK_(crypt_volume_key_verify(cd, key, key_size));
-       OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
-       OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
-       EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
-       OK_(crypt_deactivate(cd, CDEVICE_1));
-
-       key[1] = ~key[1];
-       FAIL_(crypt_volume_key_verify(cd, key, key_size), "key mismatch");
-       FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "key mismatch");
+       if (!_fips_mode) {
+               EQ_(0, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1)));
+               OK_(crypt_volume_key_verify(cd, key, key_size));
+               OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
+               OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+               EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+               OK_(crypt_deactivate(cd, CDEVICE_1));
+
+               key[1] = ~key[1];
+               FAIL_(crypt_volume_key_verify(cd, key, key_size), "key mismatch");
+               FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "key mismatch");
+       }
        crypt_free(cd);
 }
 
@@ -1130,10 +1158,12 @@ static void AddDeviceLuks(void)
        EQ_(7, crypt_activate_by_passphrase(cd, NULL, 7, passphrase2, strlen(passphrase2), 0));
        EQ_(6, crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 6, passphrase2, strlen(passphrase2), passphrase, strlen(passphrase)));
 
-       EQ_(6, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
-       OK_(crypt_volume_key_verify(cd, key2, key_size));
+       if (!_fips_mode) {
+               EQ_(6, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
+               OK_(crypt_volume_key_verify(cd, key2, key_size));
 
-       OK_(memcmp(key, key2, key_size));
+               OK_(memcmp(key, key2, key_size));
+       }
        OK_(strcmp(cipher, crypt_get_cipher(cd)));
        OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
        EQ_((int)key_size, crypt_get_volume_key_size(cd));
@@ -1743,12 +1773,14 @@ static void TcryptTest(void)
        EQ_(256, crypt_get_data_offset(cd));
 
        memset(key, 0, key_size);
-       key_size--;
-       // small buffer
-       FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0), "small buffer");
-       key_size++;
-       OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0));
-       OK_(memcmp(key, key_def, key_size));
+       if (!_fips_mode) {
+               key_size--;
+               // small buffer
+               FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0), "small buffer");
+               key_size++;
+               OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0));
+               OK_(memcmp(key, key_def, key_size));
+       }
 
        reset_log();
        crypt_set_log_callback(cd, &new_log, NULL);

diff --git a/tests/compat-test b/tests/compat-test
index 7c5172f..36e186c 100755 (executable)
--- a/tests/compat-test
+++ b/tests/compat-test
@@ -39,6 +39,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
 TEST_UUID="12345678-1234-1234-1234-123456789abc"
 
 LOOPDEV=$(losetup -f 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
 function remove_mapping()
 {
@@ -63,6 +64,12 @@ function fail()
        exit 2
 }
 
+function can_fail_fips()
+{
+        # Ignore this fail if running in FIPS mode
+        [ -z "$FIPS_MODE" -o "$FIPS_MODE" -eq 0 ] && fail $1
+}
+
 function skip()
 {
        [ -n "$1" ] && echo "$1"
@@ -390,8 +397,8 @@ echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
 echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || fail
-$CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || fail
+echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || can_fail_fips
+$CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || can_fail_fips
 
 prepare "[22] remove disappeared device" wipe
 dmsetup create $DEV_NAME --table "0 5000 linear $LOOPDEV 2" || fail