tests: use utility to detect FIPS mode

mbroz · mbroz · commit 11a4fc6790d3 · 2025-11-19T22:09:27.000+01:00
Also try to use crypto lib/kernel check where appropriate.

This can be useful for local testing (non-FIPS kernel) byt
should not break real FIPS systems.
diff --git a/tests/00modules-test b/tests/00modules-test
@@ -17,6 +17,9 @@ if [ "$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)" = "1" ] ; then
 	echo "Kernel running in FIPS mode."
 fi
 
+./crypto-check fips_mode && echo "Crypto backend running in FIPS mode."
+./crypto-check fips_mode_kernel && echo "Kernel running in FIPS mode."
+
 if [ -f /etc/os-release ] ; then
 	source /etc/os-release
 	echo "$PRETTY_NAME ($NAME) $VERSION"
diff --git a/tests/align-test b/tests/align-test
@@ -10,8 +10,6 @@ PWD1="93R4P4pIqAH8"
 PWD2="mymJeD8ivEhE"
 FAST_PBKDF="--pbkdf-force-iterations 1000"
 
-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
 if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
 	CRYPTSETUP_VALGRIND=$CRYPTSETUP
 else
@@ -22,7 +20,7 @@ fi
 
 fips_mode()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode
 }
 
 cleanup() {
diff --git a/tests/api-test.c b/tests/api-test.c
@@ -64,6 +64,7 @@
 #define LUKS_PHDR_SIZE_B 1024
 
 static int _fips_mode = 0;
+static int _fips_mode_kernel = 0;
 
 static char *DEVICE_1 = NULL;
 static char *DEVICE_2 = NULL;
@@ -293,8 +294,9 @@ static int _setup(void)
 		return 1;
 
 	_fips_mode = fips_mode();
+	_fips_mode_kernel = fips_mode_kernel();
 	if (_debug)
-		printf("FIPS MODE: %d\n", _fips_mode);
+		printf("FIPS MODE: LIB %d, KERNEL %d\n", _fips_mode, _fips_mode_kernel);
 
 	/* Use default log callback */
 	crypt_set_log_callback(NULL, &global_log_callback, NULL);
@@ -1833,7 +1835,7 @@ static void TcryptTest(void)
 	CRYPT_FREE(cd);
 
 	// Following test uses non-FIPS algorithms in the cipher chain
-	if(_fips_mode)
+	if(_fips_mode || _fips_mode_kernel)
 		return;
 
 	OK_(crypt_init(&cd, tcrypt_dev2));
diff --git a/tests/api_test.h b/tests/api_test.h
@@ -31,6 +31,7 @@ int t_dm_capi_string_supported(void);
 int t_set_readahead(const char *device, unsigned value);
 
 int fips_mode(void);
+int fips_mode_kernel(void);
 
 int create_dmdevice_over_device(const char *dm_name, const char *device, uint64_t size, uint64_t offset);
 
diff --git a/tests/compat-test b/tests/compat-test
@@ -50,7 +50,6 @@ KEY_MATERIAL5_EXT="S331776-395264"
 TEST_UUID="12345678-1234-1234-1234-123456789abc"
 
 LOOPDEV=$(losetup -f 2>/dev/null)
-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
 remove_mapping()
 {
@@ -83,7 +82,7 @@ trap _sigchld CHLD
 
 fips_mode()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode
 }
 
 can_fail_fips()
diff --git a/tests/compat-test-opal b/tests/compat-test-opal
@@ -42,8 +42,6 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
 
 TEST_UUID="12345678-1234-1234-1234-123456789abc"
 
-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
 remove_mapping()
 {
 	[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
@@ -73,7 +71,7 @@ trap _sigchld CHLD
 
 fips_mode()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode
 }
 
 can_fail_fips()
diff --git a/tests/compat-test2 b/tests/compat-test2
@@ -48,7 +48,6 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
 TEST_UUID="12345678-1234-1234-1234-123456789abc"
 
 LOOPDEV=$(losetup -f 2>/dev/null)
-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
 remove_mapping()
 {
@@ -88,7 +87,7 @@ trap _sigchld CHLD
 
 fips_mode()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode
 }
 
 can_fail_fips()
diff --git a/tests/crypto-vectors.c b/tests/crypto-vectors.c
@@ -18,8 +18,6 @@
 # define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
 #endif
 
-static bool fips_active = false;
-
 static void printhex(const char *s, const char *buf, size_t len)
 {
 	size_t i;
@@ -31,24 +29,6 @@ static void printhex(const char *s, const char *buf, size_t len)
 	fflush(stdout);
 }
 
-static bool fips_mode(void)
-{
-	int fd;
-	char buf = 0;
-
-	fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
-
-	if (fd < 0)
-		return false;
-
-	if (read(fd, &buf, 1) != 1)
-		buf = '0';
-
-	close(fd);
-
-	return (buf == '1');
-}
-
 /*
  * KDF tests
  */
@@ -1043,7 +1023,7 @@ static int pbkdf_test_vectors(void)
 		    vec->salt, vec->salt_length,
 		    result, vec->output_length,
 		    vec->iterations, vec->memory, vec->parallelism) < 0) {
-			if (vec->can_fail_fips && fips_mode()) {
+			if (vec->can_fail_fips && crypt_fips_mode()) {
 				printf("[API FAILED, IGNORED (FIPS mode)]\n");
 				continue;
 			}
@@ -1552,7 +1532,7 @@ static int kernel_capi_check_test(void)
 		if (!r)
 			printf("[OK]\n");
 		else if (r == -ENOENT || r == -ENOTSUP ||
-			(fips_active && !capi_test_vectors[i].fips))
+			(crypt_fips_mode_kernel() && !capi_test_vectors[i].fips))
 			printf("[N/A]\n");
 		else
 			return EXIT_FAILURE;
@@ -1580,8 +1560,6 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
 	}
 #endif
 
-	fips_active = fips_mode();
-
 	if (crypt_backend_init())
 		exit_test("Crypto backend init error.", EXIT_FAILURE);
 
@@ -1615,7 +1593,7 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
 		exit_test("Kernel CAPI test failed.", EXIT_FAILURE);
 
 	if (default_alg_test()) {
-		if (fips_mode())
+		if (crypt_fips_mode())
 			printf("\nDefault compiled-in algorithms test ignored (FIPS mode on).\n");
 		else
 			exit_test("\nDefault compiled-in algorithms test failed.", EXIT_FAILURE);
diff --git a/tests/keyring-compat-test b/tests/keyring-compat-test
@@ -33,8 +33,6 @@ else
 	CRYPTSETUP_LIB_VALGRIND=../.libs
 fi
 
-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
 remove_mapping()
 {
 	[ -b /dev/mapper/$NAME ] && dmsetup remove --retry $NAME
@@ -115,9 +113,9 @@ test_and_prepare_keyring() {
 	load_key "$HEXKEY_16" user test_key "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
 }
 
-fips_mode()
+fips_mode_kernel()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode_kernel
 }
 
 add_device() {
@@ -205,7 +203,7 @@ diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corrupti
 echo "OK"
 
 #test serpent cipher, cbc mode, tcw IV
-fips_mode || {
+fips_mode_kernel || {
 echo -n "Testing $CIPHER_CBC_TCW..."
 dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
 sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail
diff --git a/tests/luks2-reencryption-test b/tests/luks2-reencryption-test
@@ -54,8 +54,6 @@ HAVE_KEYRING=0
 JSON_MSIZE=16384
 IMG_JSON=luks2-digest-1.json
 
-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
-
 dm_crypt_features()
 {
 	VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
@@ -163,7 +161,7 @@ skip()
 
 fips_mode()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode || ./crypto-check fips_mode_kernel
 }
 
 add_scsi_device() {
diff --git a/tests/reencryption-compat-test b/tests/reencryption-compat-test
@@ -30,11 +30,10 @@ LUKS1_DECRYPT="LUKS-$LUKS1_DECRYPT_UUID"
 
 MNT_DIR=./mnt_luks
 START_DIR=$(pwd)
-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
 
 fips_mode()
 {
-	[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]
+	./crypto-check fips_mode || ./crypto-check fips_mode_kernel
 }
 
 del_scsi_device()
diff --git a/tests/test_utils.c b/tests/test_utils.c
@@ -165,20 +165,12 @@ int t_set_readahead(const char *device, unsigned value)
 
 int fips_mode(void)
 {
-	int fd;
-	char buf = 0;
-
-	fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
-
-	if (fd < 0)
-		return 0;
-
-	if (read(fd, &buf, 1) != 1)
-		buf = '0';
-
-	close(fd);
+	return _system("./crypto-check fips_mode", 1) == 0;
+}
 
-	return (buf == '1');
+int fips_mode_kernel(void)
+{
+	return _system("./crypto-check fips_mode_kernel", 1) == 0;
 }
 
 /*

Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,6 @@ PWD1="93R4P4pIqAH8"`
`10`	`10`	`PWD2="mymJeD8ivEhE"`
`11`	`11`	`FAST_PBKDF="--pbkdf-force-iterations 1000"`
`12`	`12`
`13`		`-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)`
`14`		`-`
`15`	`13`	`if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then`
`16`	`14`	`CRYPTSETUP_VALGRIND=$CRYPTSETUP`
`17`	`15`	`else`
`@@ -22,7 +20,7 @@ fi`
`22`	`20`
`23`	`21`	`fips_mode()`
`24`	`22`	`{`
`25`		`- [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]`
	`23`	`+ ./crypto-check fips_mode`
`26`	`24`	`}`
`27`	`25`
`28`	`26`	`cleanup() {`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,6 @@ KEY_MATERIAL5_EXT="S331776-395264"`
`50`	`50`	`TEST_UUID="12345678-1234-1234-1234-123456789abc"`
`51`	`51`
`52`	`52`	`LOOPDEV=$(losetup -f 2>/dev/null)`
`53`		`-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)`
`54`	`53`
`55`	`54`	`remove_mapping()`
`56`	`55`	`{`
`@@ -83,7 +82,7 @@ trap _sigchld CHLD`
`83`	`82`
`84`	`83`	`fips_mode()`
`85`	`84`	`{`
`86`		`- [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]`
	`85`	`+ ./crypto-check fips_mode`
`87`	`86`	`}`
`88`	`87`
`89`	`88`	`can_fail_fips()`
Original file line number	Diff line number	Diff line change
`@@ -42,8 +42,6 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"`
`42`	`42`
`43`	`43`	`TEST_UUID="12345678-1234-1234-1234-123456789abc"`
`44`	`44`
`45`		`-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)`
`46`		`-`
`47`	`45`	`remove_mapping()`
`48`	`46`	`{`
`49`	`47`	`[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2`
`@@ -73,7 +71,7 @@ trap _sigchld CHLD`
`73`	`71`
`74`	`72`	`fips_mode()`
`75`	`73`	`{`
`76`		`- [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]`
	`74`	`+ ./crypto-check fips_mode`
`77`	`75`	`}`
`78`	`76`
`79`	`77`	`can_fail_fips()`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,6 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"`
`48`	`48`	`TEST_UUID="12345678-1234-1234-1234-123456789abc"`
`49`	`49`
`50`	`50`	`LOOPDEV=$(losetup -f 2>/dev/null)`
`51`		`-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)`
`52`	`51`
`53`	`52`	`remove_mapping()`
`54`	`53`	`{`
`@@ -88,7 +87,7 @@ trap _sigchld CHLD`
`88`	`87`
`89`	`88`	`fips_mode()`
`90`	`89`	`{`
`91`		`- [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]`
	`90`	`+ ./crypto-check fips_mode`
`92`	`91`	`}`
`93`	`92`
`94`	`93`	`can_fail_fips()`
Original file line number	Diff line number	Diff line change
`@@ -33,8 +33,6 @@ else`
`33`	`33`	`CRYPTSETUP_LIB_VALGRIND=../.libs`
`34`	`34`	`fi`
`35`	`35`
`36`		`-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)`
`37`		`-`
`38`	`36`	`remove_mapping()`
`39`	`37`	`{`
`40`	`38`	`[ -b /dev/mapper/$NAME ] && dmsetup remove --retry $NAME`
`@@ -115,9 +113,9 @@ test_and_prepare_keyring() {`
`115`	`113`	`load_key "$HEXKEY_16" user test_key "$TEST_KEYRING" \|\| skip "Kernel keyring service is useless on this system, test skipped."`
`116`	`114`	`}`
`117`	`115`
`118`		`-fips_mode()`
	`116`	`+fips_mode_kernel()`
`119`	`117`	`{`
`120`		`- [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]`
	`118`	`+ ./crypto-check fips_mode_kernel`
`121`	`119`	`}`
`122`	`120`
`123`	`121`	`add_device() {`
`@@ -205,7 +203,7 @@ diff $CHKS_DMCRYPT $CHKS_KEYRING \|\| fail "Plaintext checksums mismatch (corrupti`
`205`	`203`	`echo "OK"`
`206`	`204`
`207`	`205`	`#test serpent cipher, cbc mode, tcw IV`
`208`		`-fips_mode \|\| {`
	`206`	`+fips_mode_kernel \|\| {`
`209`	`207`	`echo -n "Testing $CIPHER_CBC_TCW..."`
`210`	`208`	`dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" \|\| fail`
`211`	`209`	`sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT \|\| fail`
Original file line number	Diff line number	Diff line change
`@@ -54,8 +54,6 @@ HAVE_KEYRING=0`
`54`	`54`	`JSON_MSIZE=16384`
`55`	`55`	`IMG_JSON=luks2-digest-1.json`
`56`	`56`
`57`		`-FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)`
`58`		`-`
`59`	`57`	`dm_crypt_features()`
`60`	`58`	`{`
`61`	`59`	`VER_STR=$(dmsetup targets \| grep crypt \| cut -f2 -dv)`
`@@ -163,7 +161,7 @@ skip()`
`163`	`161`
`164`	`162`	`fips_mode()`
`165`	`163`	`{`
`166`		`- [ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ]`
	`164`	`+ ./crypto-check fips_mode \|\| ./crypto-check fips_mode_kernel`
`167`	`165`	`}`
`168`	`166`
`169`	`167`	`add_scsi_device() {`