From fdcabdfd28c02c0ccf91e46dcc22a50ef6affdd4 Mon Sep 17 00:00:00 2001
From: Milan Broz <gmazyland@gmail.com>
Date: Tue, 15 Jan 2013 14:53:19 +0100
Subject: [PATCH] Support test run in kernel FIPS mode.

---
 tests/api-test.c  | 86 ++++++++++++++++++++++++++++++++++++++-----------------
 tests/compat-test | 11 +++++--
 2 files changed, 68 insertions(+), 29 deletions(-)

diff --git a/tests/api-test.c b/tests/api-test.c
index d54e9a5..3ccfa73 100644
--- a/tests/api-test.c
+++ b/tests/api-test.c
@@ -84,6 +84,7 @@
 
 static int _debug   = 0;
 static int _verbose = 1;
+static int _fips_mode = 0;
 
 static char global_log[4096];
 static int global_lines = 0;
@@ -114,6 +115,24 @@ static int device_size(const char *device, uint64_t *size)
 	return r;
 }
 
+static int fips_mode(void)
+{
+	int fd;
+	char buf = 0;
+
+	fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
+
+	if (fd < 0)
+		return 0;
+
+	if (read(fd, &buf, 1) != 1)
+		buf = '0';
+
+	close(fd);
+
+	return (buf == '1');
+}
+
 static int get_luks_offsets(int metadata_device,
 			    size_t keylength,
 			    unsigned int alignpayload_sec,
@@ -451,6 +470,11 @@ static int _setup(void)
 
 	_system("modprobe dm-crypt", 0);
 	_system("modprobe dm-verity", 0);
+
+	_fips_mode = fips_mode();
+	if (_debug)
+		printf("FIPS MODE: %d\n", _fips_mode);
+
 	return 0;
 }
 
@@ -760,14 +784,16 @@ static void AddDevicePlain(void)
 	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
 
 	// retrieve volume key check
-	memset(key2, 0, key_size);
-	key_size--;
-	// small buffer
-	FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)), "small buffer");
-	key_size++;
-	OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
-
-	OK_(memcmp(key, key2, key_size));
+	if (!_fips_mode) {
+		memset(key2, 0, key_size);
+		key_size--;
+		// small buffer
+		FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)), "small buffer");
+		key_size++;
+		OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
+
+		OK_(memcmp(key, key2, key_size));
+	}
 	OK_(strcmp(cipher, crypt_get_cipher(cd)));
 	OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
 	EQ_((int)key_size, crypt_get_volume_key_size(cd));
@@ -899,16 +925,18 @@ static void UseLuksDevice(void)
 	EQ_((int)key_size, crypt_get_volume_key_size(cd));
 	EQ_(1032, crypt_get_data_offset(cd));
 
-	EQ_(0, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1)));
-	OK_(crypt_volume_key_verify(cd, key, key_size));
-	OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
-	OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
-	EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
-	OK_(crypt_deactivate(cd, CDEVICE_1));
-
-	key[1] = ~key[1];
-	FAIL_(crypt_volume_key_verify(cd, key, key_size), "key mismatch");
-	FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "key mismatch");
+	if (!_fips_mode) {
+		EQ_(0, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, KEY1, strlen(KEY1)));
+		OK_(crypt_volume_key_verify(cd, key, key_size));
+		OK_(crypt_activate_by_volume_key(cd, NULL, key, key_size, 0));
+		OK_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0));
+		EQ_(crypt_status(cd, CDEVICE_1), CRYPT_ACTIVE);
+		OK_(crypt_deactivate(cd, CDEVICE_1));
+
+		key[1] = ~key[1];
+		FAIL_(crypt_volume_key_verify(cd, key, key_size), "key mismatch");
+		FAIL_(crypt_activate_by_volume_key(cd, CDEVICE_1, key, key_size, 0), "key mismatch");
+	}
 	crypt_free(cd);
 }
 
@@ -1130,10 +1158,12 @@ static void AddDeviceLuks(void)
 	EQ_(7, crypt_activate_by_passphrase(cd, NULL, 7, passphrase2, strlen(passphrase2), 0));
 	EQ_(6, crypt_keyslot_change_by_passphrase(cd, CRYPT_ANY_SLOT, 6, passphrase2, strlen(passphrase2), passphrase, strlen(passphrase)));
 
-	EQ_(6, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
-	OK_(crypt_volume_key_verify(cd, key2, key_size));
+	if (!_fips_mode) {
+		EQ_(6, crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key2, &key_size, passphrase, strlen(passphrase)));
+		OK_(crypt_volume_key_verify(cd, key2, key_size));
 
-	OK_(memcmp(key, key2, key_size));
+		OK_(memcmp(key, key2, key_size));
+	}
 	OK_(strcmp(cipher, crypt_get_cipher(cd)));
 	OK_(strcmp(cipher_mode, crypt_get_cipher_mode(cd)));
 	EQ_((int)key_size, crypt_get_volume_key_size(cd));
@@ -1743,12 +1773,14 @@ static void TcryptTest(void)
 	EQ_(256, crypt_get_data_offset(cd));
 
 	memset(key, 0, key_size);
-	key_size--;
-	// small buffer
-	FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0), "small buffer");
-	key_size++;
-	OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0));
-	OK_(memcmp(key, key_def, key_size));
+	if (!_fips_mode) {
+		key_size--;
+		// small buffer
+		FAIL_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0), "small buffer");
+		key_size++;
+		OK_(crypt_volume_key_get(cd, CRYPT_ANY_SLOT, key, &key_size, NULL, 0));
+		OK_(memcmp(key, key_def, key_size));
+	}
 
 	reset_log();
 	crypt_set_log_callback(cd, &new_log, NULL);
diff --git a/tests/compat-test b/tests/compat-test
index 7c5172f..36e186c 100755
--- a/tests/compat-test
+++ b/tests/compat-test
@@ -39,6 +39,7 @@ KEY_MATERIAL5_EXT="S331776-395264"
 TEST_UUID="12345678-1234-1234-1234-123456789abc"
 
 LOOPDEV=$(losetup -f 2>/dev/null)
+FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
 function remove_mapping()
 {
@@ -63,6 +64,12 @@ function fail()
 	exit 2
 }
 
+function can_fail_fips()
+{
+        # Ignore this fail if running in FIPS mode
+        [ -z "$FIPS_MODE" -o "$FIPS_MODE" -eq 0 ] && fail $1
+}
+
 function skip()
 {
 	[ -n "$1" ] && echo "$1"
@@ -390,8 +397,8 @@ echo $PWD1 | $CRYPTSETUP luksAddKey $LOOPDEV -d $KEY1 || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep -q "Key Slot 0: ENABLED" || fail
 $CRYPTSETUP luksDump $LOOPDEV | grep -q $TEST_UUID || fail
 echo $PWDW | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key 2>/dev/null && fail
-echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || fail
-$CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || fail
+echo $PWD1 | $CRYPTSETUP luksDump $LOOPDEV --dump-master-key | grep -q "MK dump:" || can_fail_fips
+$CRYPTSETUP luksDump -q $LOOPDEV --dump-master-key -d $KEY1 | grep -q "MK dump:" || can_fail_fips
 
 prepare "[22] remove disappeared device" wipe
 dmsetup create $DEV_NAME --table "0 5000 linear $LOOPDEV 2" || fail
-- 
2.7.4