From e8b35d31817d207d8b4b87ccf104d3b93aa446e0 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 17 Oct 2022 11:11:43 +0900 Subject: [PATCH] tests: move FIPS service indicator functions to common file Signed-off-by: Daiki Ueno --- tests/dh-compute.c | 36 +++++--------------------- tests/fips-rsa-sizes.c | 24 ----------------- tests/fips-test.c | 27 +++----------------- tests/kdf-api.c | 27 +------------------- tests/pkcs12_encode.c | 24 ----------------- tests/privkey-keygen.c | 24 ----------------- tests/utils.h | 58 ++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 69 insertions(+), 151 deletions(-) diff --git a/tests/dh-compute.c b/tests/dh-compute.c index 828fb05e9c..6c1d5328f6 100644 --- a/tests/dh-compute.c +++ b/tests/dh-compute.c @@ -156,34 +156,10 @@ void doit(void) { NULL } }; -#define FIPS_PUSH_CONTEXT() do { \ - if (gnutls_fips140_mode_enabled()) { \ - ret = gnutls_fips140_push_context(fips_context); \ - if (ret < 0) { \ - fail("gnutls_fips140_push_context failed\n"); \ - } \ - } \ -} while (0) - -#define FIPS_POP_CONTEXT(state) do { \ - if (gnutls_fips140_mode_enabled()) { \ - ret = gnutls_fips140_pop_context(); \ - if (ret < 0) { \ - fail("gnutls_fips140_context_pop failed\n"); \ - } \ - fips_state = gnutls_fips140_get_operation_state(fips_context); \ - if (fips_state != state) { \ - fail("operation state is not %d (%d)\n", \ - state, fips_state); \ - } \ - } \ -} while (0) - for (int i = 0; test_data[i].name != NULL; i++) { gnutls_datum_t priv_key, pub_key; gnutls_dh_params_t dh_params; gnutls_fips140_context_t fips_context; - gnutls_fips140_operation_state_t fips_state; int ret; if (gnutls_fips140_mode_enabled()) { @@ -193,24 +169,24 @@ void doit(void) } } - FIPS_PUSH_CONTEXT(); + fips_push_context(fips_context); params(&dh_params, &test_data[i].prime, &test_data[i].q, &test_data[i].generator); - FIPS_POP_CONTEXT(GNUTLS_FIPS140_OP_INITIAL); + fips_pop_context(fips_context, GNUTLS_FIPS140_OP_INITIAL); success("%s genkey\n", test_data[i].name); - FIPS_PUSH_CONTEXT(); + fips_push_context(fips_context); genkey(dh_params, &priv_key, &pub_key); - FIPS_POP_CONTEXT(test_data[i].fips_state_genkey); + fips_pop_context(fips_context, test_data[i].fips_state_genkey); success("%s compute_key\n", test_data[i].name); - FIPS_PUSH_CONTEXT(); + fips_push_context(fips_context); compute_key(test_data[i].name, dh_params, &priv_key, &pub_key, &test_data[i].peer_key, test_data[i].expected_error, NULL, 0); - FIPS_POP_CONTEXT(test_data[i].fips_state_compute_key); + fips_pop_context(fips_context, test_data[i].fips_state_compute_key); gnutls_dh_params_deinit(dh_params); gnutls_free(priv_key.data); diff --git a/tests/fips-rsa-sizes.c b/tests/fips-rsa-sizes.c index 84b9affabb..5feb284503 100644 --- a/tests/fips-rsa-sizes.c +++ b/tests/fips-rsa-sizes.c @@ -27,25 +27,6 @@ #include #include -#define FIPS_PUSH_CONTEXT() do { \ - ret = gnutls_fips140_push_context(fips_context); \ - if (ret < 0) { \ - fail("gnutls_fips140_push_context failed\n"); \ - } \ -} while (0) - -#define FIPS_POP_CONTEXT(state) do { \ - ret = gnutls_fips140_pop_context(); \ - if (ret < 0) { \ - fail("gnutls_fips140_context_pop failed\n"); \ - } \ - fips_state = gnutls_fips140_get_operation_state(fips_context); \ - if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ - fail("operation state is not " # state " (%d)\n", \ - fips_state); \ - } \ -} while (0) - void generate_successfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, unsigned int size); @@ -63,7 +44,6 @@ void generate_successfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, int ret; gnutls_x509_privkey_t xprivkey; gnutls_fips140_context_t fips_context; - gnutls_fips140_operation_state_t fips_state; assert(gnutls_fips140_context_init(&fips_context) == 0); fprintf(stderr, "%d-bit\n", size); @@ -102,7 +82,6 @@ void generate_unsuccessfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, int ret; gnutls_x509_privkey_t xprivkey; gnutls_fips140_context_t fips_context; - gnutls_fips140_operation_state_t fips_state; assert(gnutls_fips140_context_init(&fips_context) == 0); fprintf(stderr, "%d-bit\n", size); @@ -156,7 +135,6 @@ void generate_unsuccessfully(gnutls_privkey_t* privkey, gnutls_pubkey_t* pubkey, void sign_verify_successfully(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) { int ret; gnutls_fips140_context_t fips_context; - gnutls_fips140_operation_state_t fips_state; gnutls_datum_t signature; gnutls_datum_t plaintext = { @@ -190,7 +168,6 @@ void sign_verify_unsuccessfully(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) { int ret; gnutls_fips140_context_t fips_context; - gnutls_fips140_operation_state_t fips_state; gnutls_datum_t signature; gnutls_datum_t plaintext = { @@ -225,7 +202,6 @@ void sign_verify_unsuccessfully(gnutls_privkey_t privkey, void nosign_verify(gnutls_privkey_t privkey, gnutls_pubkey_t pubkey) { int ret; gnutls_fips140_context_t fips_context; - gnutls_fips140_operation_state_t fips_state; gnutls_datum_t signature; gnutls_datum_t plaintext = { diff --git a/tests/fips-test.c b/tests/fips-test.c index f789afb107..b0bae4ef9f 100644 --- a/tests/fips-test.c +++ b/tests/fips-test.c @@ -12,25 +12,6 @@ /* This does check the FIPS140 support. */ -#define FIPS_PUSH_CONTEXT() do { \ - ret = gnutls_fips140_push_context(fips_context); \ - if (ret < 0) { \ - fail("gnutls_fips140_push_context failed\n"); \ - } \ -} while (0) - -#define FIPS_POP_CONTEXT(state) do { \ - ret = gnutls_fips140_pop_context(); \ - if (ret < 0) { \ - fail("gnutls_fips140_context_pop failed\n"); \ - } \ - fips_state = gnutls_fips140_get_operation_state(fips_context); \ - if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ - fail("operation state is not " # state " (%d)\n", \ - fips_state); \ - } \ -} while (0) - void _gnutls_lib_simulate_error(void); static void tls_log_func(int level, const char *str) @@ -40,10 +21,9 @@ static void tls_log_func(int level, const char *str) static uint8_t key16[16]; static uint8_t iv16[16]; -uint8_t key_data[64]; -uint8_t iv_data[16]; -gnutls_fips140_context_t fips_context; -gnutls_fips140_operation_state_t fips_state; +static uint8_t key_data[64]; +static uint8_t iv_data[16]; +static gnutls_fips140_context_t fips_context; static const gnutls_datum_t data = { .data = (unsigned char *)"foo", 3 }; static const uint8_t rsa2342_sha1_sig_data[] = { @@ -276,6 +256,7 @@ test_ciphers(void) void doit(void) { int ret; + gnutls_fips140_operation_state_t fips_state; unsigned int mode; gnutls_cipher_hd_t ch; gnutls_hmac_hd_t mh; diff --git a/tests/kdf-api.c b/tests/kdf-api.c index 9724502005..a28ce82a62 100644 --- a/tests/kdf-api.c +++ b/tests/kdf-api.c @@ -33,30 +33,7 @@ #define MAX_BUF 1024 static gnutls_fips140_context_t fips_context; -static gnutls_fips140_operation_state_t fips_state; - -#define FIPS_PUSH_CONTEXT() do { \ - if (gnutls_fips140_mode_enabled()) { \ - ret = gnutls_fips140_push_context(fips_context); \ - if (ret < 0) { \ - fail("gnutls_fips140_push_context failed\n"); \ - } \ - } \ -} while (0) - -#define FIPS_POP_CONTEXT(state) do { \ - if (gnutls_fips140_mode_enabled()) { \ - ret = gnutls_fips140_pop_context(); \ - if (ret < 0) { \ - fail("gnutls_fips140_context_pop failed\n"); \ - } \ - fips_state = gnutls_fips140_get_operation_state(fips_context); \ - if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ - fail("operation state is not " # state " (%d)\n", \ - fips_state); \ - } \ - } \ -} while (0) + static void test_hkdf(gnutls_mac_algorithm_t mac, @@ -74,7 +51,6 @@ test_hkdf(gnutls_mac_algorithm_t mac, gnutls_datum_t prk; gnutls_datum_t okm; uint8_t buf[MAX_BUF]; - int ret; success("HKDF test with %s\n", gnutls_mac_get_name(mac)); @@ -144,7 +120,6 @@ test_pbkdf2(gnutls_mac_algorithm_t mac, gnutls_datum_t salt; gnutls_datum_t okm; uint8_t buf[MAX_BUF]; - int ret; success("PBKDF2 test with %s\n", gnutls_mac_get_name(mac)); diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c index ea39f3d69e..dc55daccde 100644 --- a/tests/pkcs12_encode.c +++ b/tests/pkcs12_encode.c @@ -70,29 +70,6 @@ static void tls_log_func(int level, const char *str) fprintf(stderr, "|<%d>| %s", level, str); } -#define FIPS_PUSH_CONTEXT() do { \ - if (gnutls_fips140_mode_enabled()) { \ - ret = gnutls_fips140_push_context(fips_context); \ - if (ret < 0) { \ - fail("gnutls_fips140_push_context failed\n"); \ - } \ - } \ -} while (0) - -#define FIPS_POP_CONTEXT(state) do { \ - if (gnutls_fips140_mode_enabled()) { \ - ret = gnutls_fips140_pop_context(); \ - if (ret < 0) { \ - fail("gnutls_fips140_context_pop failed\n"); \ - } \ - fips_state = gnutls_fips140_get_operation_state(fips_context); \ - if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ - fail("operation state is not " # state " (%d)\n", \ - fips_state); \ - } \ - } \ -} while (0) - void doit(void) { gnutls_pkcs12_t pkcs12; @@ -106,7 +83,6 @@ void doit(void) size_t size; unsigned i; gnutls_fips140_context_t fips_context; - gnutls_fips140_operation_state_t fips_state; size_t n_tests = 0; struct tests { const char *name; diff --git a/tests/privkey-keygen.c b/tests/privkey-keygen.c index 2766afee08..2531906d71 100644 --- a/tests/privkey-keygen.c +++ b/tests/privkey-keygen.c @@ -119,30 +119,6 @@ void doit(void) gnutls_x509_privkey_t pkey, dst; int ret, algorithm, i; gnutls_fips140_context_t fips_context; - gnutls_fips140_operation_state_t fips_state; - -#define FIPS_PUSH_CONTEXT() do { \ - if (gnutls_fips140_mode_enabled()) { \ - ret = gnutls_fips140_push_context(fips_context); \ - if (ret < 0) { \ - fail("gnutls_fips140_push_context failed\n"); \ - } \ - } \ -} while (0) - -#define FIPS_POP_CONTEXT(state) do { \ - if (gnutls_fips140_mode_enabled()) { \ - ret = gnutls_fips140_pop_context(); \ - if (ret < 0) { \ - fail("gnutls_fips140_context_pop failed\n"); \ - } \ - fips_state = gnutls_fips140_get_operation_state(fips_context); \ - if (fips_state != GNUTLS_FIPS140_OP_ ## state) { \ - fail("operation state is not " # state " (%d)\n", \ - fips_state); \ - } \ - } \ -} while (0) ret = global_init(); if (ret < 0) diff --git a/tests/utils.h b/tests/utils.h index d3a2ba8d16..4433a07057 100644 --- a/tests/utils.h +++ b/tests/utils.h @@ -210,4 +210,62 @@ inline static unsigned int get_dtls_retransmit_timeout(void) { return (unsigned int) ul; } +static inline const char * +fips_operation_state_to_string(gnutls_fips140_operation_state_t state) +{ + switch (state) { + case GNUTLS_FIPS140_OP_INITIAL: + return "INITIAL"; + case GNUTLS_FIPS140_OP_APPROVED: + return "APPROVED"; + case GNUTLS_FIPS140_OP_NOT_APPROVED: + return "NOT_APPROVED"; + case GNUTLS_FIPS140_OP_ERROR: + return "ERROR"; + default: + /*NOTREACHED*/ + assert(0); + return NULL; + } +} + +static inline void +fips_push_context(gnutls_fips140_context_t context) +{ + if (gnutls_fips140_mode_enabled()) { + int ret; + + ret = gnutls_fips140_push_context(context); + if (ret < 0) { + fail("gnutls_fips140_push_context failed\n"); + } + } +} + +static inline void +fips_pop_context(gnutls_fips140_context_t context, + gnutls_fips140_operation_state_t expected_state) +{ + gnutls_fips140_operation_state_t state; + + if (gnutls_fips140_mode_enabled()) { + int ret; + + ret = gnutls_fips140_pop_context(); + if (ret < 0) { + fail("gnutls_fips140_context_pop failed\n"); + } + state = gnutls_fips140_get_operation_state(context); + if (state != expected_state) { + fail("operation state is not %s (%s)\n", + fips_operation_state_to_string(expected_state), + fips_operation_state_to_string(state)); + } + } +} + +/* To use those convenient macros, define fips_context variable. */ +#define FIPS_PUSH_CONTEXT() fips_push_context(fips_context) +#define FIPS_POP_CONTEXT(state) fips_pop_context(fips_context, GNUTLS_FIPS140_OP_ ## state) + #endif /* GNUTLS_TESTS_UTILS_H */ -- 2.38.1