Add FipsStatus() method to KeyTypeManagers for AEAD, DAEAD, MAC, Prf and Streaming AEAD.

Each key manager indicates now whether it can be registered in FIPS mode. This allows to enforce in the registry that non-FIPS key manager can not be register at runtime.

PiperOrigin-RevId: 366970350

1 files changed, 10 insertions, 2 deletions

diff --git a/cc/mac/mac_config_test.cc b/cc/mac/mac_config_test.cc
index 2df12e7cb..6c5183b12 100644
--- a/cc/mac/mac_config_test.cc
+++ b/cc/mac/mac_config_test.cc
@@ -46,6 +46,10 @@ class MacConfigTest : public ::testing::Test {
 };
 
 TEST_F(MacConfigTest, Basic) {
+  if (kUseOnlyFips) {
+    GTEST_SKIP() << "Not supported in FIPS-only mode";
+  }
+
   EXPECT_THAT(
       Registry::get_key_manager<Mac>(HmacKeyManager().get_key_type()).status(),
       StatusIs(util::error::NOT_FOUND));
@@ -58,6 +62,10 @@ TEST_F(MacConfigTest, Basic) {
 // Tests that the MacWrapper has been properly registered and we can wrap
 // primitives.
 TEST_F(MacConfigTest, WrappersRegistered) {
+  if (kUseOnlyFips) {
+    GTEST_SKIP() << "Not supported in FIPS-only mode";
+  }
+
   ASSERT_TRUE(MacConfig::Register().ok());
 
   google::crypto::tink::KeysetInfo::KeyInfo key_info;
@@ -89,7 +97,7 @@ TEST_F(MacConfigTest, WrappersRegistered) {
 
 // FIPS-only mode tests
 TEST_F(MacConfigTest, RegisterNonFipsTemplates) {
-  if (!kUseOnlyFips) {
+  if (!kUseOnlyFips || !FIPS_mode()) {
     GTEST_SKIP() << "Only supported in FIPS-only mode";
   }
 
@@ -105,7 +113,7 @@ TEST_F(MacConfigTest, RegisterNonFipsTemplates) {
 }
 
 TEST_F(MacConfigTest, RegisterFipsValidTemplates) {
-  if (!kUseOnlyFips) {
+  if (!kUseOnlyFips || !FIPS_mode()) {
     GTEST_SKIP() << "Only supported in FIPS-only mode";
   }