Refactor tink fips into an internal and public part.

Create a new fips_util target which captures all internal functions used for implementing the FIPS checks and puts it in the internal namespace.

The tink_fips.h now only provides functions which are part of the public API.

PiperOrigin-RevId: 368843791

6 files changed, 36 insertions, 170 deletions

diff --git a/cc/config/BUILD.bazel b/cc/config/BUILD.bazel
index 0fce70245..89f5445d9 100644
--- a/cc/config/BUILD.bazel
+++ b/cc/config/BUILD.bazel
@@ -58,6 +58,7 @@ cc_library(
     deps = [
         "@com_google_absl//absl/base:core_headers",
         "@boringssl//:crypto",
+        "//:registry",
         "//util:status",
     ],
 )
@@ -99,21 +100,14 @@ cc_test(
 cc_test(
     name = "tink_fips_test",
     size = "small",
-    srcs = select({
-        "fips_enabled": ["tink_fips_enabled_test.cc"],
-        "//conditions:default": ["tink_fips_disabled_test.cc"],
-    }),
+    srcs = ["tink_fips_test.cc"],
     tags = [
         "fips",
     ],
     deps = [
+        ":tink_config",
         ":tink_fips",
-        "//aead:aead_config",
-        "//aead:aead_key_templates",
-        "//util:status",
-        "//util:test_matchers",
-        "//util:test_util",
-        "@boringssl//:crypto",
+        "//internal:fips_utils",
         "@com_google_googletest//:gtest_main",
     ],
 )
diff --git a/cc/config/CMakeLists.txt b/cc/config/CMakeLists.txt
index f8ce26581..411da1cb1 100644
--- a/cc/config/CMakeLists.txt
+++ b/cc/config/CMakeLists.txt
@@ -35,6 +35,7 @@ tink_cc_library(
   DEPS
     absl::base
     crypto
+    tink::core::registry
     tink::util::status
 )
 
diff --git a/cc/config/tink_fips.cc b/cc/config/tink_fips.cc
index 20686ca05..61875c971 100644
--- a/cc/config/tink_fips.cc
+++ b/cc/config/tink_fips.cc
@@ -15,40 +15,16 @@
 ///////////////////////////////////////////////////////////////////////////////
 #include "tink/config/tink_fips.h"
 
-namespace crypto {
-namespace tink {
+#include "tink/internal/fips_utils.h"
+#include "tink/internal/registry_impl.h"
+#include "tink/util/status.h"
 
-#ifdef TINK_USE_ONLY_FIPS
-const bool kUseOnlyFips = true;
-#else
-const bool kUseOnlyFips = false;
-#endif
 
-crypto::tink::util::Status ChecksFipsCompatibility(
-    FipsCompatibility fips_status) {
-  switch (fips_status) {
-    case FipsCompatibility::kNotFips:
-      if (kUseOnlyFips) {
-        return util::Status(util::error::INTERNAL,
-                            "Primitive not available in FIPS only mode.");
-      } else {
-        return util::OkStatus();
-      }
-    case FipsCompatibility::kRequiresBoringCrypto:
-      if (kUseOnlyFips && !FIPS_mode()) {
-        return util::Status(
-            util::error::INTERNAL,
-            "BoringSSL not built with the BoringCrypto module. If you want to "
-            "use "
-            "FIPS only mode you have to build BoringSSL in FIPS Mode.");
+namespace crypto {
+namespace tink {
 
-      } else {
-        return util::OkStatus();
-      }
-    default:
-      return util::Status(util::error::INTERNAL,
-                          "Could not determine FIPS status.");
-  }
+bool IsFipsModeEnabled() {
+  return internal::IsFipsModeEnabled();
 }
 
 }  // namespace tink
diff --git a/cc/config/tink_fips.h b/cc/config/tink_fips.h
index 8736f378c..2cfef9c23 100644
--- a/cc/config/tink_fips.h
+++ b/cc/config/tink_fips.h
@@ -18,38 +18,15 @@
 
 #include "absl/base/attributes.h"
 #include "openssl/crypto.h"
+#include "tink/internal/fips_utils.h"
 #include "tink/util/status.h"
 
 namespace crypto {
 namespace tink {
 
-// This flag indicates whether Tink was build in FIPS only mode. If the flag
-// is set, then usage of algorithms will be restricted to algorithms which
-// utilize the FIPS validated BoringCrypto module.
-ABSL_CONST_INIT extern const bool kUseOnlyFips;
-
-// Should be used to indicate whether an algorithm can be used in FIPS only
-// mode or not.
-enum class FipsCompatibility {
-  kNotFips = 0,  // The algorithm can not use a FIPS validated implementation.
-  kRequiresBoringCrypto,  // The algorithm requires BoringCrypto to use a FIPS
-                          // validated implementation.
-};
-
-// Allows to check for a cryptographic algorithm whether it is available in
-// the FIPS only mode, based on it's FipsCompatibility flag. If FIPS only
-// mode is enabled this will return an INTERNAL error if:
-// 1) The algorithm has no FIPS support.
-// 2) The algorithm has FIPS support, but BoringSSL has not been compiled with
-//    the BoringCrypto module.
-crypto::tink::util::Status ChecksFipsCompatibility(
-    FipsCompatibility fips_status);
-
-// Utility function wich calls CheckFipsCompatibility(T::kFipsStatus).
-template <class T>
-crypto::tink::util::Status CheckFipsCompatibility() {
-  return ChecksFipsCompatibility(T::kFipsStatus);
-}
+// This function will return true if Tink has been built in FIPS mode or if
+// the FIPS restrictions have been enabled at runtime.
+bool IsFipsModeEnabled();
 
 }  // namespace tink
 }  // namespace crypto
diff --git a/cc/config/tink_fips_enabled_test.cc b/cc/config/tink_fips_enabled_test.cc
deleted file mode 100644
index 0529785fc..000000000
--- a/cc/config/tink_fips_enabled_test.cc
+++ /dev/null
@@ -1,83 +0,0 @@
-// Copyright 2020 Google LLC
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-///////////////////////////////////////////////////////////////////////////////
-#include "gmock/gmock.h"
-#include "gtest/gtest.h"
-#include "openssl/crypto.h"
-#include "tink/aead.h"
-#include "tink/aead/aead_config.h"
-#include "tink/aead/aead_key_templates.h"
-#include "tink/config/tink_fips.h"
-#include "tink/keyset_handle.h"
-#include "tink/util/status.h"
-#include "tink/util/test_matchers.h"
-#include "tink/util/test_util.h"
-
-namespace crypto {
-namespace tink {
-namespace {
-
-using ::crypto::tink::test::IsOk;
-using ::crypto::tink::test::StatusIs;
-
-TEST(TinkFipsTest, FlagCorrectlySet) {
-  EXPECT_THAT(kUseOnlyFips, testing::Eq(true));
-}
-
-class FipsIncompatible {
- public:
-  static constexpr crypto::tink::FipsCompatibility kFipsStatus =
-      crypto::tink::FipsCompatibility::kNotFips;
-};
-
-class FipsCompatibleWithBoringCrypto {
- public:
-  static constexpr crypto::tink::FipsCompatibility kFipsStatus =
-      crypto::tink::FipsCompatibility::kRequiresBoringCrypto;
-};
-
-TEST(TinkFipsTest, CompatibilityChecksWithBoringCrypto) {
-  if (!FIPS_mode()) {
-    GTEST_SKIP() << "Test only run if BoringCrypto module is available.";
-  }
-
-  // In FIPS only mode compatibility checks should disallow algorithms
-  // with the FipsCompatibility::kNone flag.
-  EXPECT_THAT(CheckFipsCompatibility<FipsIncompatible>(),
-              StatusIs(util::error::INTERNAL));
-
-  // FIPS validated implementations should still be allowed.
-  EXPECT_THAT(CheckFipsCompatibility<FipsCompatibleWithBoringCrypto>(), IsOk());
-}
-
-TEST(TinkFipsTest, CompatibilityChecksWithoutBoringCrypto) {
-  if (FIPS_mode()) {
-    GTEST_SKIP() << "Test only run if BoringCrypto module is not available.";
-  }
-
-  // In FIPS only mode compatibility checks should disallow algorithms
-  // with the FipsCompatibility::kNone flag.
-  EXPECT_THAT(CheckFipsCompatibility<FipsIncompatible>(),
-              StatusIs(util::error::INTERNAL));
-
-  // FIPS validated implementations are not allowed if BoringCrypto is not
-  // available.
-  EXPECT_THAT(CheckFipsCompatibility<FipsCompatibleWithBoringCrypto>(),
-              StatusIs(util::error::INTERNAL));
-}
-
-}  // namespace
-}  // namespace tink
-}  // namespace crypto
diff --git a/cc/config/tink_fips_disabled_test.cc b/cc/config/tink_fips_test.cc
index d7d093894..23d317e71 100644
--- a/cc/config/tink_fips_disabled_test.cc
+++ b/cc/config/tink_fips_test.cc
@@ -1,4 +1,4 @@
-// Copyright 2020 Google LLC
+// Copyright 2021 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -13,38 +13,39 @@
 // limitations under the License.
 //
 ///////////////////////////////////////////////////////////////////////////////
+#include "tink/config/tink_fips.h"
+
+#include "tink/internal/fips_utils.h"
 #include "gmock/gmock.h"
 #include "gtest/gtest.h"
-#include "tink/config/tink_fips.h"
-#include "tink/util/test_matchers.h"
 
 namespace crypto {
 namespace tink {
+
 namespace {
 
-using ::crypto::tink::test::IsOk;
 using testing::Eq;
 
-TEST(TinkFipsTest, FlagCorrectlySet) { EXPECT_THAT(kUseOnlyFips, Eq(false)); }
+// All tests in this file assume that Tink is not build in FIPS mode.
+TEST(TinkFipsTest, FipsEnabledWhenBuiltInFipsMode) {
+  // Check if the built flag is set.
+  if (!internal::kUseOnlyFips) {
+    GTEST_SKIP() << "Only supported in FIPS-only mode";
+  }
 
-class FipsIncompatible {
- public:
-  static constexpr crypto::tink::FipsCompatibility kFipsStatus =
-      crypto::tink::FipsCompatibility::kNotFips;
-};
+  EXPECT_THAT(IsFipsModeEnabled(), Eq(true));
+}
 
-class FipsCompatibleWithBoringCrypto {
- public:
-  static constexpr crypto::tink::FipsCompatibility kFipsStatus =
-      crypto::tink::FipsCompatibility::kRequiresBoringCrypto;
-};
+TEST(TinkFipsTest, FipsDisabledWhenNotBuildInFipsMode) {
+  // Check if the built flag is set.
+  if (internal::kUseOnlyFips) {
+    GTEST_SKIP() << "Not supported in FIPS-only mode";
+  }
 
-TEST(TinkFipsTest, Compatibility) {
-  // With FIPS only mode disabled no restrictions should apply.
-  EXPECT_THAT(CheckFipsCompatibility<FipsIncompatible>(), IsOk());
-  EXPECT_THAT(CheckFipsCompatibility<FipsCompatibleWithBoringCrypto>(), IsOk());
+  EXPECT_THAT(IsFipsModeEnabled(), Eq(false));
 }
 
 }  // namespace
+
 }  // namespace tink
 }  // namespace crypto