diff options
author | kste <kste@google.com> | 2021-04-16 07:33:15 -0700 |
---|---|---|
committer | Copybara-Service <copybara-worker@google.com> | 2021-04-16 07:33:51 -0700 |
commit | 47b6e1783c8dc1eaed150632efd2ceb50f3f867c (patch) | |
tree | e62a25949509a252b05e42065289b9e3efaeea0a /cc/config | |
parent | 564daf0fd1e6a27ef469fdb0b85ffb60e3a0375e (diff) | |
download | tink-47b6e1783c8dc1eaed150632efd2ceb50f3f867c.tar.gz |
Refactor tink fips into an internal and public part.
Create a new fips_util target which captures all internal functions used for implementing the FIPS checks and puts it in the internal namespace.
The tink_fips.h now only provides functions which are part of the public API.
PiperOrigin-RevId: 368843791
Diffstat (limited to 'cc/config')
-rw-r--r-- | cc/config/BUILD.bazel | 14 | ||||
-rw-r--r-- | cc/config/CMakeLists.txt | 1 | ||||
-rw-r--r-- | cc/config/tink_fips.cc | 38 | ||||
-rw-r--r-- | cc/config/tink_fips.h | 31 | ||||
-rw-r--r-- | cc/config/tink_fips_enabled_test.cc | 83 | ||||
-rw-r--r-- | cc/config/tink_fips_test.cc (renamed from cc/config/tink_fips_disabled_test.cc) | 39 |
6 files changed, 36 insertions, 170 deletions
diff --git a/cc/config/BUILD.bazel b/cc/config/BUILD.bazel index 0fce70245..89f5445d9 100644 --- a/cc/config/BUILD.bazel +++ b/cc/config/BUILD.bazel @@ -58,6 +58,7 @@ cc_library( deps = [ "@com_google_absl//absl/base:core_headers", "@boringssl//:crypto", + "//:registry", "//util:status", ], ) @@ -99,21 +100,14 @@ cc_test( cc_test( name = "tink_fips_test", size = "small", - srcs = select({ - "fips_enabled": ["tink_fips_enabled_test.cc"], - "//conditions:default": ["tink_fips_disabled_test.cc"], - }), + srcs = ["tink_fips_test.cc"], tags = [ "fips", ], deps = [ + ":tink_config", ":tink_fips", - "//aead:aead_config", - "//aead:aead_key_templates", - "//util:status", - "//util:test_matchers", - "//util:test_util", - "@boringssl//:crypto", + "//internal:fips_utils", "@com_google_googletest//:gtest_main", ], ) diff --git a/cc/config/CMakeLists.txt b/cc/config/CMakeLists.txt index f8ce26581..411da1cb1 100644 --- a/cc/config/CMakeLists.txt +++ b/cc/config/CMakeLists.txt @@ -35,6 +35,7 @@ tink_cc_library( DEPS absl::base crypto + tink::core::registry tink::util::status ) diff --git a/cc/config/tink_fips.cc b/cc/config/tink_fips.cc index 20686ca05..61875c971 100644 --- a/cc/config/tink_fips.cc +++ b/cc/config/tink_fips.cc @@ -15,40 +15,16 @@ /////////////////////////////////////////////////////////////////////////////// #include "tink/config/tink_fips.h" -namespace crypto { -namespace tink { +#include "tink/internal/fips_utils.h" +#include "tink/internal/registry_impl.h" +#include "tink/util/status.h" -#ifdef TINK_USE_ONLY_FIPS -const bool kUseOnlyFips = true; -#else -const bool kUseOnlyFips = false; -#endif -crypto::tink::util::Status ChecksFipsCompatibility( - FipsCompatibility fips_status) { - switch (fips_status) { - case FipsCompatibility::kNotFips: - if (kUseOnlyFips) { - return util::Status(util::error::INTERNAL, - "Primitive not available in FIPS only mode."); - } else { - return util::OkStatus(); - } - case FipsCompatibility::kRequiresBoringCrypto: - if (kUseOnlyFips && !FIPS_mode()) { - return util::Status( - util::error::INTERNAL, - "BoringSSL not built with the BoringCrypto module. If you want to " - "use " - "FIPS only mode you have to build BoringSSL in FIPS Mode."); +namespace crypto { +namespace tink { - } else { - return util::OkStatus(); - } - default: - return util::Status(util::error::INTERNAL, - "Could not determine FIPS status."); - } +bool IsFipsModeEnabled() { + return internal::IsFipsModeEnabled(); } } // namespace tink diff --git a/cc/config/tink_fips.h b/cc/config/tink_fips.h index 8736f378c..2cfef9c23 100644 --- a/cc/config/tink_fips.h +++ b/cc/config/tink_fips.h @@ -18,38 +18,15 @@ #include "absl/base/attributes.h" #include "openssl/crypto.h" +#include "tink/internal/fips_utils.h" #include "tink/util/status.h" namespace crypto { namespace tink { -// This flag indicates whether Tink was build in FIPS only mode. If the flag -// is set, then usage of algorithms will be restricted to algorithms which -// utilize the FIPS validated BoringCrypto module. -ABSL_CONST_INIT extern const bool kUseOnlyFips; - -// Should be used to indicate whether an algorithm can be used in FIPS only -// mode or not. -enum class FipsCompatibility { - kNotFips = 0, // The algorithm can not use a FIPS validated implementation. - kRequiresBoringCrypto, // The algorithm requires BoringCrypto to use a FIPS - // validated implementation. -}; - -// Allows to check for a cryptographic algorithm whether it is available in -// the FIPS only mode, based on it's FipsCompatibility flag. If FIPS only -// mode is enabled this will return an INTERNAL error if: -// 1) The algorithm has no FIPS support. -// 2) The algorithm has FIPS support, but BoringSSL has not been compiled with -// the BoringCrypto module. -crypto::tink::util::Status ChecksFipsCompatibility( - FipsCompatibility fips_status); - -// Utility function wich calls CheckFipsCompatibility(T::kFipsStatus). -template <class T> -crypto::tink::util::Status CheckFipsCompatibility() { - return ChecksFipsCompatibility(T::kFipsStatus); -} +// This function will return true if Tink has been built in FIPS mode or if +// the FIPS restrictions have been enabled at runtime. +bool IsFipsModeEnabled(); } // namespace tink } // namespace crypto diff --git a/cc/config/tink_fips_enabled_test.cc b/cc/config/tink_fips_enabled_test.cc deleted file mode 100644 index 0529785fc..000000000 --- a/cc/config/tink_fips_enabled_test.cc +++ /dev/null @@ -1,83 +0,0 @@ -// Copyright 2020 Google LLC -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -/////////////////////////////////////////////////////////////////////////////// -#include "gmock/gmock.h" -#include "gtest/gtest.h" -#include "openssl/crypto.h" -#include "tink/aead.h" -#include "tink/aead/aead_config.h" -#include "tink/aead/aead_key_templates.h" -#include "tink/config/tink_fips.h" -#include "tink/keyset_handle.h" -#include "tink/util/status.h" -#include "tink/util/test_matchers.h" -#include "tink/util/test_util.h" - -namespace crypto { -namespace tink { -namespace { - -using ::crypto::tink::test::IsOk; -using ::crypto::tink::test::StatusIs; - -TEST(TinkFipsTest, FlagCorrectlySet) { - EXPECT_THAT(kUseOnlyFips, testing::Eq(true)); -} - -class FipsIncompatible { - public: - static constexpr crypto::tink::FipsCompatibility kFipsStatus = - crypto::tink::FipsCompatibility::kNotFips; -}; - -class FipsCompatibleWithBoringCrypto { - public: - static constexpr crypto::tink::FipsCompatibility kFipsStatus = - crypto::tink::FipsCompatibility::kRequiresBoringCrypto; -}; - -TEST(TinkFipsTest, CompatibilityChecksWithBoringCrypto) { - if (!FIPS_mode()) { - GTEST_SKIP() << "Test only run if BoringCrypto module is available."; - } - - // In FIPS only mode compatibility checks should disallow algorithms - // with the FipsCompatibility::kNone flag. - EXPECT_THAT(CheckFipsCompatibility<FipsIncompatible>(), - StatusIs(util::error::INTERNAL)); - - // FIPS validated implementations should still be allowed. - EXPECT_THAT(CheckFipsCompatibility<FipsCompatibleWithBoringCrypto>(), IsOk()); -} - -TEST(TinkFipsTest, CompatibilityChecksWithoutBoringCrypto) { - if (FIPS_mode()) { - GTEST_SKIP() << "Test only run if BoringCrypto module is not available."; - } - - // In FIPS only mode compatibility checks should disallow algorithms - // with the FipsCompatibility::kNone flag. - EXPECT_THAT(CheckFipsCompatibility<FipsIncompatible>(), - StatusIs(util::error::INTERNAL)); - - // FIPS validated implementations are not allowed if BoringCrypto is not - // available. - EXPECT_THAT(CheckFipsCompatibility<FipsCompatibleWithBoringCrypto>(), - StatusIs(util::error::INTERNAL)); -} - -} // namespace -} // namespace tink -} // namespace crypto diff --git a/cc/config/tink_fips_disabled_test.cc b/cc/config/tink_fips_test.cc index d7d093894..23d317e71 100644 --- a/cc/config/tink_fips_disabled_test.cc +++ b/cc/config/tink_fips_test.cc @@ -1,4 +1,4 @@ -// Copyright 2020 Google LLC +// Copyright 2021 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -13,38 +13,39 @@ // limitations under the License. // /////////////////////////////////////////////////////////////////////////////// +#include "tink/config/tink_fips.h" + +#include "tink/internal/fips_utils.h" #include "gmock/gmock.h" #include "gtest/gtest.h" -#include "tink/config/tink_fips.h" -#include "tink/util/test_matchers.h" namespace crypto { namespace tink { + namespace { -using ::crypto::tink::test::IsOk; using testing::Eq; -TEST(TinkFipsTest, FlagCorrectlySet) { EXPECT_THAT(kUseOnlyFips, Eq(false)); } +// All tests in this file assume that Tink is not build in FIPS mode. +TEST(TinkFipsTest, FipsEnabledWhenBuiltInFipsMode) { + // Check if the built flag is set. + if (!internal::kUseOnlyFips) { + GTEST_SKIP() << "Only supported in FIPS-only mode"; + } -class FipsIncompatible { - public: - static constexpr crypto::tink::FipsCompatibility kFipsStatus = - crypto::tink::FipsCompatibility::kNotFips; -}; + EXPECT_THAT(IsFipsModeEnabled(), Eq(true)); +} -class FipsCompatibleWithBoringCrypto { - public: - static constexpr crypto::tink::FipsCompatibility kFipsStatus = - crypto::tink::FipsCompatibility::kRequiresBoringCrypto; -}; +TEST(TinkFipsTest, FipsDisabledWhenNotBuildInFipsMode) { + // Check if the built flag is set. + if (internal::kUseOnlyFips) { + GTEST_SKIP() << "Not supported in FIPS-only mode"; + } -TEST(TinkFipsTest, Compatibility) { - // With FIPS only mode disabled no restrictions should apply. - EXPECT_THAT(CheckFipsCompatibility<FipsIncompatible>(), IsOk()); - EXPECT_THAT(CheckFipsCompatibility<FipsCompatibleWithBoringCrypto>(), IsOk()); + EXPECT_THAT(IsFipsModeEnabled(), Eq(false)); } } // namespace + } // namespace tink } // namespace crypto |