Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion .github/workflows/fips-ready.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,10 @@ jobs:

- name: Build wolfProvider with FIPS Ready Bundle
run: |
./scripts/build-wolfprovider.sh --fips-bundle="$FIPS_BUNDLE_PATH" \
# WOLFPROV_FORCE_FIPS_FAILURE is an internal, test-only knob (no CLI
# flag) that enables HAVE_FORCE_FIPS_FAILURE for the fips_status test.
WOLFPROV_FORCE_FIPS_FAILURE=1 ./scripts/build-wolfprovider.sh \
--fips-bundle="$FIPS_BUNDLE_PATH" \
--fips-check=ready --wolfssl-ver=v${{matrix.wolfssl_bundle_ref}}-stable

- name: Run FIPS Command Tests
Expand All @@ -82,3 +85,14 @@ jobs:

# --- force-fail mode ---
WOLFPROV_FORCE_FAIL=1 ./scripts/cmd_test/do-cmd-tests.sh

- name: Run FIPS Status Test
run: |
# Exercises the FIPS-status gate in wolfssl_prov_is_running():
export WOLFSSL_ISFIPS=1
source scripts/env-setup
set -o pipefail
./test/standalone/tests/fips_status/run.sh 2>&1 | tee fips-status.log
# The forced-failure branch must have actually run in this FIPS build;
# fail if the test silently degraded to the healthy path only.
grep -q "correctly rejected after FIPS failure" fips-status.log
8 changes: 8 additions & 0 deletions scripts/utils-wolfssl.sh
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,14 @@ install_wolfssl() {
printf "with FIPS ${fips_tag} ... "
fi
CONF_ARGS+=" --enable-fips=$fips_configure_arg"

# Internal test-only knob: expose wolfCrypt_SetStatus_fips for the
# fips_status test. The define reaches the provider and test builds
# automatically via the generated wolfssl options.h.
if [ "${WOLFPROV_FORCE_FIPS_FAILURE:-}" = "1" ]; then
WOLFSSL_FIPS_CONFIG_CFLAGS="${WOLFSSL_FIPS_CONFIG_CFLAGS} -DHAVE_FORCE_FIPS_FAILURE"
fi

WOLFSSL_CONFIG_OPTS=$WOLFSSL_FIPS_CONFIG_OPTS
WOLFSSL_CONFIG_CFLAGS=$WOLFSSL_FIPS_CONFIG_CFLAGS
# Only run fips-check if not using a bundle
Expand Down
20 changes: 14 additions & 6 deletions src/wp_wolfprov.c
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@

#include "wolfssl/wolfcrypt/logging.h"

#ifdef HAVE_FIPS
#include <wolfssl/wolfcrypt/fips_test.h>
#endif

const char* wolfprovider_id = "libwolfprov";

/* Core function that gets the table of parameters. */
Expand Down Expand Up @@ -72,10 +76,11 @@ static const OSSL_PARAM* wolfprov_gettable_params(void* provCtx)
/*
* Returns whether the provider is running/usable.
*
* In FIPS, if there is an issue with the integrity check, then this can return
* 0 to indicate provider is unusable.
* In FIPS builds the live wolfCrypt FIPS status is queried; a non-zero status
* (integrity/POST or continuous-test failure) returns 0 so a status-polling
* caller can observe the failure.
*
* @return 1 indicating provider is running.
* @return 1 indicating provider is running, 0 otherwise.
*/
int wolfssl_prov_is_running(void)
{
Expand All @@ -87,7 +92,12 @@ int wolfssl_prov_is_running(void)
return 0;
}
#endif
/* Always running. */
#ifdef HAVE_FIPS
if (wolfCrypt_GetStatus_fips() != 0) {
WOLFPROV_LEAVE(WP_LOG_COMP_PROVIDER, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 0);
return 0;
}
#endif
WOLFPROV_LEAVE(WP_LOG_COMP_PROVIDER, __FILE__ ":" WOLFPROV_STRINGIZE(__LINE__), 1);
return 1;
}
Expand Down Expand Up @@ -1348,8 +1358,6 @@ static const OSSL_DISPATCH wolfprov_dispatch_table[] = {
};

#ifdef HAVE_FIPS
#include <wolfssl/wolfcrypt/fips_test.h>

static void wp_fipsCb(int ok, int err, const char* hash)
{
(void)ok;
Expand Down
11 changes: 9 additions & 2 deletions test/standalone/include.am
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ noinst_HEADERS += test/standalone/test_common.h \
# Standalone test programs
# Each test compiles to its own binary for isolated execution
# Note: These are NOT in check_PROGRAMS because they must be run through scripts, not directly
noinst_PROGRAMS += test/sha256_simple.test test/hardload.test test/fips_baseline.test test/pqc_interop.test
DISTCLEANFILES += test/.libs/sha256_simple.test test/.libs/hardload.test test/.libs/fips_baseline.test test/.libs/pqc_interop.test
noinst_PROGRAMS += test/sha256_simple.test test/hardload.test test/fips_baseline.test test/pqc_interop.test test/fips_status.test
DISTCLEANFILES += test/.libs/sha256_simple.test test/.libs/hardload.test test/.libs/fips_baseline.test test/.libs/pqc_interop.test test/.libs/fips_status.test

# Common flags for all standalone tests
STANDALONE_COMMON_CPPFLAGS = -DCERTS_DIR='"$(abs_top_srcdir)/certs"' \
Expand Down Expand Up @@ -60,6 +60,13 @@ test_pqc_interop_test_CPPFLAGS = $(STANDALONE_COMMON_CPPFLAGS)
test_pqc_interop_test_SOURCES = test/standalone/tests/pqc_interop/test_pqc_interop.c
test_pqc_interop_test_LDADD = $(STANDALONE_COMMON_LDADD)

test_fips_status_test_CPPFLAGS = $(STANDALONE_COMMON_CPPFLAGS)
test_fips_status_test_SOURCES = test/standalone/tests/fips_status/test_fips_status.c
test_fips_status_test_LDADD = $(STANDALONE_COMMON_LDADD)
# Export the executable's dynamic symbols so libwolfprov resolves
# wolfCrypt_GetStatus_fips to this binary on the interposition path.
test_fips_status_test_LDFLAGS = -export-dynamic

# Common test utilities are built automatically by automake

# Standalone tests are available for manual execution but not part of make check
Expand Down
13 changes: 13 additions & 0 deletions test/standalone/runners/run_standalone_tests.sh
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,19 @@ else
fi
set -e

# Run FIPS status test
echo ""
echo "Running FIPS status test..."
set +e
"$ROOT_DIR/test/standalone/tests/fips_status/run.sh"
if [ $? -eq 0 ]; then
echo "FIPS status test: PASSED"
else
echo "FIPS status test: FAILED"
TOTAL_FAILURES=$((TOTAL_FAILURES + 1))
fi
set -e

echo ""
echo "================================"
if [ $TOTAL_FAILURES -eq 0 ]; then
Expand Down
54 changes: 54 additions & 0 deletions test/standalone/tests/fips_status/run.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
#!/bin/bash
# FIPS provider status test runner

set -e

# Get the directory of this script and find the root
TEST_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(cd "$TEST_DIR/../../../.." && pwd)"

# Binary should be in the test/.libs/ directory
BINARY="fips_status.test"
BINARY_PATH="$ROOT_DIR/test/.libs/$BINARY"

# Make sure we can find the binary
if [ ! -f "$BINARY_PATH" ]; then
echo "Error: Cannot find binary $BINARY_PATH"
echo "Make sure you've built the test with: make test/fips_status.test"
exit 1
fi

# Source env-setup
if ! source "$ROOT_DIR/scripts/env-setup" >/dev/null; then
echo "Error: env-setup failed"
exit 1
fi

# Source common test utilities
source "$ROOT_DIR/test/standalone/test_common.sh"

# Check if this is a replace-default build
WP_USING_REPLACE_DEFAULT="0"
if detect_replace_default_build; then
WP_USING_REPLACE_DEFAULT="1"
unset OPENSSL_CONF
fi

echo "Using environment:"
echo "LD_LIBRARY_PATH: $LD_LIBRARY_PATH"
echo "OPENSSL_CONF: $OPENSSL_CONF"
echo "OPENSSL_BIN: $OPENSSL_BIN"

echo "Running FIPS status test: $BINARY_PATH"
echo ""

# The healthy-path assertion runs on every build. The forced-failure path runs
# in FIPS builds via wolfCrypt_SetStatus_fips (HAVE_FORCE_FIPS_FAILURE) or, on
# Linux, symbol interposition; the binary self-reports which path it took.
if "$BINARY_PATH"; then
echo "FIPS status test: PASSED"
exit 0
else
echo "FIPS status test: FAILED"
exit 1
fi
Loading
Loading