diff options
| author | kste <kste@google.com> | 2020-07-09 05:57:35 -0700 |
|---|---|---|
| committer | Copybara-Service <copybara-worker@google.com> | 2020-07-09 05:58:07 -0700 |
| commit | ce4388b632143ee65ae0196611ef38aba45f8b87 (patch) | |
| tree | 216e4053b8250a02b2d01895459b08b81f1b2d3b /cc/mac/mac_config_test.cc | |
| parent | 7774f24559d1aff5ede208e347d02af8471bbacb (diff) | |
| download | tink-ce4388b632143ee65ae0196611ef38aba45f8b87.tar.gz | |
Restrict Mac registry when using FIPS only mode.
When using FIPS only mode, this restricts Mac registry to only register the FIPS validated HMAC implementations.
PiperOrigin-RevId: 320381070
Diffstat (limited to 'cc/mac/mac_config_test.cc')
| -rw-r--r-- | cc/mac/mac_config_test.cc | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/cc/mac/mac_config_test.cc b/cc/mac/mac_config_test.cc index a6208e61d..f4048ce7d 100644 --- a/cc/mac/mac_config_test.cc +++ b/cc/mac/mac_config_test.cc @@ -16,8 +16,11 @@ #include "tink/mac/mac_config.h" +#include <list> + #include "gtest/gtest.h" #include "tink/config.h" +#include "tink/config/tink_fips.h" #include "tink/keyset_handle.h" #include "tink/mac.h" #include "tink/mac/hmac_key_manager.h" @@ -84,6 +87,41 @@ TEST_F(MacConfigTest, WrappersRegistered) { DummyMac("dummy").VerifyMac(mac_result.ValueOrDie(), "faked text").ok()); } +// FIPS-only mode tests +TEST_F(MacConfigTest, RegisterNonFipsTemplates) { + if (!kUseOnlyFips) { + GTEST_SKIP() << "Only supported in FIPS-only mode"; + } + + EXPECT_THAT(MacConfig::Register(), IsOk()); + + std::list<google::crypto::tink::KeyTemplate> non_fips_key_templates; + non_fips_key_templates.push_back(MacKeyTemplates::AesCmac()); + + for (auto key_template : non_fips_key_templates) { + EXPECT_THAT(KeysetHandle::GenerateNew(key_template).status(), + StatusIs(util::error::NOT_FOUND)); + } +} + +TEST_F(MacConfigTest, RegisterFipsValidTemplates) { + if (!kUseOnlyFips) { + GTEST_SKIP() << "Only supported in FIPS-only mode"; + } + + EXPECT_THAT(MacConfig::Register(), IsOk()); + + std::list<google::crypto::tink::KeyTemplate> fips_key_templates; + fips_key_templates.push_back(MacKeyTemplates::HmacSha256()); + fips_key_templates.push_back(MacKeyTemplates::HmacSha256HalfSizeTag()); + fips_key_templates.push_back(MacKeyTemplates::HmacSha512()); + fips_key_templates.push_back(MacKeyTemplates::HmacSha512HalfSizeTag()); + + for (auto key_template : fips_key_templates) { + EXPECT_THAT(KeysetHandle::GenerateNew(key_template).status(), IsOk()); + } +} + } // namespace } // namespace tink } // namespace crypto |