tests: use utility to detect FIPS mode

Also try to use crypto lib/kernel check where appropriate. This can be useful for local testing (non-FIPS kernel) byt should not break real FIPS systems.
2025-12-05 16:00:05 +01:00 · 2025-11-13 22:06:52 +01:00
parent e4c498d15b
commit 11a4fc6790
12 changed files with 25 additions and 60 deletions
--- a/tests/00modules-test
+++ b/tests/00modules-test
@@ -17,6 +17,9 @@ if [ "$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)" = "1" ] ; then
 	echo "Kernel running in FIPS mode."
 fi

+./crypto-check fips_mode && echo "Crypto backend running in FIPS mode."
+./crypto-check fips_mode_kernel && echo "Kernel running in FIPS mode."
+
 if [ -f /etc/os-release ] ; then
 	source /etc/os-release
 	echo "$PRETTY_NAME ($NAME) $VERSION"
--- a/tests/align-test
+++ b/tests/align-test
@@ -10,8 +10,6 @@ PWD1="93R4P4pIqAH8"
 PWD2="mymJeD8ivEhE"
 FAST_PBKDF="--pbkdf-force-iterations 1000"

-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
 if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
 	CRYPTSETUP_VALGRIND=$CRYPTSETUP
 else
@@ -22,7 +20,7 @@ fi

 fips_mode()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode
 }

 cleanup() {
--- a/tests/api-test.c
+++ b/tests/api-test.c
@@ -64,6 +64,7 @@
 #define LUKS_PHDR_SIZE_B 1024

 static int _fips_mode = 0;
+static int _fips_mode_kernel = 0;

 static char *DEVICE_1 = NULL;
 static char *DEVICE_2 = NULL;
@@ -293,8 +294,9 @@ static int _setup(void)
 		return 1;

 	_fips_mode = fips_mode();
+	_fips_mode_kernel = fips_mode_kernel();
 	if (_debug)
-		printf("FIPS MODE: %d\n", _fips_mode);
+		printf("FIPS MODE: LIB %d, KERNEL %d\n", _fips_mode, _fips_mode_kernel);

 	/* Use default log callback */
 	crypt_set_log_callback(NULL, &global_log_callback, NULL);
@@ -1833,7 +1835,7 @@ static void TcryptTest(void)
 	CRYPT_FREE(cd);

 	// Following test uses non-FIPS algorithms in the cipher chain
-	if(_fips_mode)
+	if(_fips_mode || _fips_mode_kernel)
 		return;

 	OK_(crypt_init(&cd, tcrypt_dev2));
--- a/tests/api_test.h
+++ b/tests/api_test.h
@@ -31,6 +31,7 @@ int t_dm_capi_string_supported(void);
 int t_set_readahead(const char *device, unsigned value);

 int fips_mode(void);
+int fips_mode_kernel(void);

 int create_dmdevice_over_device(const char *dm_name, const char *device, uint64_t size, uint64_t offset);

--- a/tests/compat-test
+++ b/tests/compat-test
@@ -50,7 +50,6 @@ KEY_MATERIAL5_EXT="S331776-395264"
 TEST_UUID="12345678-1234-1234-1234-123456789abc"

 LOOPDEV=$(losetup -f 2>/dev/null)
-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)

 remove_mapping()
 {
@@ -83,7 +82,7 @@ trap _sigchld CHLD

 fips_mode()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode
 }

 can_fail_fips()
--- a/tests/compat-test-opal
+++ b/tests/compat-test-opal
@@ -42,8 +42,6 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"

 TEST_UUID="12345678-1234-1234-1234-123456789abc"

-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
 remove_mapping()
 {
 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
@@ -73,7 +71,7 @@ trap _sigchld CHLD

 fips_mode()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode
 }

 can_fail_fips()
--- a/tests/compat-test2
+++ b/tests/compat-test2
@@ -48,7 +48,6 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
 TEST_UUID="12345678-1234-1234-1234-123456789abc"

 LOOPDEV=$(losetup -f 2>/dev/null)
-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)

 remove_mapping()
 {
@@ -88,7 +87,7 @@ trap _sigchld CHLD

 fips_mode()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode
 }

 can_fail_fips()
--- a/tests/crypto-vectors.c
+++ b/tests/crypto-vectors.c
@@ -18,8 +18,6 @@
 # define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
 #endif

-static bool fips_active = false;
-
 static void printhex(const char *s, const char *buf, size_t len)
 {
 	size_t i;
@@ -31,24 +29,6 @@ static void printhex(const char *s, const char *buf, size_t len)
 	fflush(stdout);
 }

-static bool fips_mode(void)
-{
-	int fd;
-	char buf = 0;
-
-	fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
-
-	if (fd < 0)
-		return false;
-
-	if (read(fd, &buf, 1) != 1)
-		buf = '0';
-
-	close(fd);
-
-	return (buf == '1');
-}
-
 /*
 * KDF tests
 */
@@ -1043,7 +1023,7 @@ static int pbkdf_test_vectors(void)
 		    vec->salt, vec->salt_length,
 		    result, vec->output_length,
 		    vec->iterations, vec->memory, vec->parallelism) < 0) {
-			if (vec->can_fail_fips && fips_mode()) {
+			if (vec->can_fail_fips && crypt_fips_mode()) {
 				printf("[API FAILED, IGNORED (FIPS mode)]\n");
 				continue;
 			}
@@ -1552,7 +1532,7 @@ static int kernel_capi_check_test(void)
 		if (!r)
 			printf("[OK]\n");
 		else if (r == -ENOENT || r == -ENOTSUP ||
-			(fips_active && !capi_test_vectors[i].fips))
+			(crypt_fips_mode_kernel() && !capi_test_vectors[i].fips))
 			printf("[N/A]\n");
 		else
 			return EXIT_FAILURE;
@@ -1580,8 +1560,6 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
 	}
 #endif

-	fips_active = fips_mode();
-
 	if (crypt_backend_init())
 		exit_test("Crypto backend init error.", EXIT_FAILURE);

@@ -1615,7 +1593,7 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
 		exit_test("Kernel CAPI test failed.", EXIT_FAILURE);

 	if (default_alg_test()) {
-		if (fips_mode())
+		if (crypt_fips_mode())
 			printf("\nDefault compiled-in algorithms test ignored (FIPS mode on).\n");
 		else
 			exit_test("\nDefault compiled-in algorithms test failed.", EXIT_FAILURE);
--- a/tests/keyring-compat-test
+++ b/tests/keyring-compat-test
@@ -33,8 +33,6 @@ else
 	CRYPTSETUP_LIB_VALGRIND=../.libs
 fi

-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
 remove_mapping()
 {
 	[ -b /dev/mapper/$NAME ] && dmsetup remove --retry $NAME
@@ -115,9 +113,9 @@ test_and_prepare_keyring() {
 	load_key "$HEXKEY_16" user test_key "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
 }

-fips_mode()
+fips_mode_kernel()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode_kernel
 }

 add_device() {
@@ -205,7 +203,7 @@ diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corrupti
 echo "OK"

 #test serpent cipher, cbc mode, tcw IV
-fips_mode || {
+fips_mode_kernel || {
 echo -n "Testing $CIPHER_CBC_TCW..."
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
 sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
--- a/tests/luks2-reencryption-test
+++ b/tests/luks2-reencryption-test
@@ -54,8 +54,6 @@ HAVE_KEYRING=0
 JSON_MSIZE=16384
 IMG_JSON=luks2-digest-1.json

-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
 dm_crypt_features()
 {
 	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
@@ -163,7 +161,7 @@ skip()

 fips_mode()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode || ./crypto-check fips_mode_kernel
 }

 add_scsi_device() {
--- a/tests/reencryption-compat-test
+++ b/tests/reencryption-compat-test
@@ -30,11 +30,10 @@ LUKS1_DECRYPT="LUKS-$LUKS1_DECRYPT_UUID"

 MNT_DIR=./mnt_luks
 START_DIR=$(pwd)
-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)

 fips_mode()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode || ./crypto-check fips_mode_kernel
 }

 del_scsi_device()
--- a/tests/test_utils.c
+++ b/tests/test_utils.c
@@ -165,20 +165,12 @@ int t_set_readahead(const char *device, unsigned value)

 int fips_mode(void)
 {
-	int fd;
-	char buf = 0;
+	return _system("./crypto-check fips_mode", 1) == 0;
+}

-	fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
-
-	if (fd < 0)
-		return 0;
-
-	if (read(fd, &buf, 1) != 1)
-		buf = '0';
-
-	close(fd);
-
-	return (buf == '1');
+int fips_mode_kernel(void)
+{
+	return _system("./crypto-check fips_mode_kernel", 1) == 0;
 }

 /*