tests: converted compile-time checks for FIPS140 mode to run-timetmp-use-thread-local-rng

This allows running the complete test suite even when the library
is compiled in FIPS140-2 mode, as long as the run-time is not at
this mode.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

15 files changed, 81 insertions, 61 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 490aa5162d..b1d25421eb 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -231,11 +231,9 @@ mini_alignment_CPPFLAGS = $(AM_CPPFLAGS) $(NETTLE_CFLAGS)
 mini_alignment_LDADD = $(LDADD) $(NETTLE_LIBS)
 
 if ENABLE_OPENSSL
-if !ENABLE_FIPS140
 ctests +=  openssl
 openssl_LDADD = ../extra/libgnutls-openssl.la $(LDADD)
 endif
-endif
 
 if ENABLE_OPENPGP
 ctests += openpgp-auth openpgp-auth2 openpgp-keyring pgps2kgnu
diff --git a/tests/cve-2009-1416.c b/tests/cve-2009-1416.c
index 128d4abd91..56904f6b4a 100644
--- a/tests/cve-2009-1416.c
+++ b/tests/cve-2009-1416.c
@@ -48,14 +48,15 @@
 
 int main(void)
 {
-#ifdef ENABLE_FIPS140
-	/* Cannot generate a 512-bit DSA key */
-	return 77;
-#else
 	gnutls_x509_privkey_t key;
 	gnutls_datum_t p, q, g, y, x;
 	int ret;
 
+	if (gnutls_fips140_mode_enabled()) {
+		/* Cannot generate a 512-bit DSA key */
+		return 77;
+	}
+
 	global_init();
 
 	ret = gnutls_x509_privkey_init(&key);
@@ -85,5 +86,4 @@ int main(void)
 	gnutls_global_deinit();
 
 	return 0;
-#endif
 }
diff --git a/tests/mini-record-2.c b/tests/mini-record-2.c
index c6abe0951e..c4a22c1836 100644
--- a/tests/mini-record-2.c
+++ b/tests/mini-record-2.c
@@ -446,17 +446,17 @@ void doit(void)
 	start(AES_CCM, 0);
 	start(AES_CCM_8, 0);
 
-#ifndef ENABLE_FIPS140
-	start(NULL_SHA1, 0);
+	if (!gnutls_fips140_mode_enabled()) {
+		start(NULL_SHA1, 0);
 
-	start(ARCFOUR_SHA1, 0);
-	start(ARCFOUR_MD5, 0);
-	start(CHACHA_POLY1305, 0);
+		start(ARCFOUR_SHA1, 0);
+		start(ARCFOUR_MD5, 0);
+		start(CHACHA_POLY1305, 0);
 
-# ifdef HAVE_LIBZ
-	start(ARCFOUR_SHA1_ZLIB, 0);
-# endif
+#ifdef HAVE_LIBZ
+		start(ARCFOUR_SHA1_ZLIB, 0);
 #endif
+	}
 
 #ifdef HAVE_LIBZ
 	start(AES_GCM_ZLIB, 0);
diff --git a/tests/mini-record-failure.c b/tests/mini-record-failure.c
index 9f70ce3055..ba62449a6d 100644
--- a/tests/mini-record-failure.c
+++ b/tests/mini-record-failure.c
@@ -380,16 +380,16 @@ void doit(void)
 	start(AES_CCM, 0);
 	start(AES_CCM_8, 0);
 
-#ifndef ENABLE_FIPS140
-	start(NULL_SHA1, 0);
+	if (!gnutls_fips140_mode_enabled()) {
+		start(NULL_SHA1, 0);
 
-	start(ARCFOUR_SHA1, 0);
-	start(ARCFOUR_MD5, 0);
+		start(ARCFOUR_SHA1, 0);
+		start(ARCFOUR_MD5, 0);
 
 # ifdef HAVE_LIBZ
-	start(ARCFOUR_SHA1_ZLIB, 0);
+		start(ARCFOUR_SHA1_ZLIB, 0);
 # endif
-#endif
+	}
 
 #ifdef HAVE_LIBZ
 	start(AES_GCM_ZLIB, 0);
@@ -399,16 +399,16 @@ void doit(void)
 	start(AES_CBC_SHA256 NO_ETM, 1);
 	start(AES_GCM NO_ETM, 0);
 
-#ifndef ENABLE_FIPS140
-	start(NULL_SHA1 NO_ETM, 0);
+	if (!gnutls_fips140_mode_enabled()) {
+		start(NULL_SHA1 NO_ETM, 0);
 
-	start(ARCFOUR_SHA1 NO_ETM, 0);
-	start(ARCFOUR_MD5 NO_ETM, 0);
+		start(ARCFOUR_SHA1 NO_ETM, 0);
+		start(ARCFOUR_MD5 NO_ETM, 0);
 
 # ifdef HAVE_LIBZ
-	start(ARCFOUR_SHA1_ZLIB NO_ETM, 0);
+		start(ARCFOUR_SHA1_ZLIB NO_ETM, 0);
 # endif
-#endif
+	}
 
 #ifdef HAVE_LIBZ
 	start(AES_GCM_ZLIB NO_ETM, 0);
diff --git a/tests/mini-record-retvals.c b/tests/mini-record-retvals.c
index 6355de0e49..9e8b4c1869 100644
--- a/tests/mini-record-retvals.c
+++ b/tests/mini-record-retvals.c
@@ -449,16 +449,16 @@ void doit(void)
 	start(AES_CBC_SHA256, 0);
 	start(AES_GCM, 0);
 
-#ifndef ENABLE_FIPS140
-	start(NULL_SHA1, 0);
+	if (!gnutls_fips140_mode_enabled()) {
+		start(NULL_SHA1, 0);
 
-	start(ARCFOUR_SHA1, 0);
-	start(ARCFOUR_MD5, 0);
+		start(ARCFOUR_SHA1, 0);
+		start(ARCFOUR_MD5, 0);
 
 # ifdef HAVE_LIBZ
-	start(ARCFOUR_SHA1_ZLIB, 0);
+		start(ARCFOUR_SHA1_ZLIB, 0);
 # endif
-#endif
+	}
 
 #ifdef HAVE_LIBZ
 	start(AES_GCM_ZLIB, 0);
diff --git a/tests/mini-record.c b/tests/mini-record.c
index f6d9c61a5d..6e8c0ffb42 100644
--- a/tests/mini-record.c
+++ b/tests/mini-record.c
@@ -413,9 +413,9 @@ void doit(void)
 	start(AES_GCM);
 	start(AES_CCM);
 	start(AES_CCM_8);
-#ifndef ENABLE_FIPS140
-	start(CHACHA_POLY1305);
-#endif
+	if (!gnutls_fips140_mode_enabled()) {
+		start(CHACHA_POLY1305);
+	}
 }
 
 #endif				/* _WIN32 */
diff --git a/tests/openssl.c b/tests/openssl.c
index aee870a707..483611cfc0 100644
--- a/tests/openssl.c
+++ b/tests/openssl.c
@@ -35,6 +35,10 @@ void doit(void)
 	MD5_CTX c;
 	unsigned char md[MD5_DIGEST_LENGTH];
 
+	if (gnutls_fips140_mode_enabled()) {
+		exit(77);
+	}
+
 	if (global_init() != 0)
 		fail("global_init\n");
 
diff --git a/tests/pkcs12_encode.c b/tests/pkcs12_encode.c
index 46c5092e49..3b0e84ef13 100644
--- a/tests/pkcs12_encode.c
+++ b/tests/pkcs12_encode.c
@@ -128,11 +128,12 @@ void doit(void)
 	}
 
 	/* Generate and add PKCS#12 cert bags. */
-#ifndef ENABLE_FIPS140
-	tests = 2; /* include RC2 */
-#else
-	tests = 1;
-#endif
+	if (!gnutls_fips140_mode_enabled()) {
+		tests = 2; /* include RC2 */
+	} else {
+		tests = 1;
+	}
+
 	for (i = 0; i < tests; i++) {
 		ret = gnutls_pkcs12_bag_init(&bag);
 		if (ret < 0) {
diff --git a/tests/priorities.c b/tests/priorities.c
index b1b5d40428..f0eb7b7570 100644
--- a/tests/priorities.c
+++ b/tests/priorities.c
@@ -101,7 +101,6 @@ void doit(void)
 	int normal_ciphers = 11;
 	int pfs_cs = 39;
 
-#ifdef ENABLE_FIPS140
 	if (gnutls_fips140_mode_enabled()) {
 		normal_cs = 30;
 		normal_ciphers = 6;
@@ -109,17 +108,18 @@ void doit(void)
 		sec256_cs = 11;
 		sec128_cs = 30;
 	}
-#endif
 
 	try_prio("NORMAL", normal_cs, normal_ciphers, __LINE__);
 	try_prio("NORMAL:-MAC-ALL:+MD5:+MAC-ALL", normal_cs, normal_ciphers, __LINE__);
-#ifndef ENABLE_FIPS140
-	try_prio("PFS", pfs_cs, normal_ciphers, __LINE__);
-	try_prio("NORMAL:+CIPHER-ALL", normal_cs, 11, __LINE__);	/* all (except null) */
-	try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1, __LINE__);	/* null */
-	try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal_cs + null, 12, __LINE__);	/* should be null + all */
-	try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 8, 1, __LINE__);	/* should be null + all */
-#endif
+
+	if (!gnutls_fips140_mode_enabled()) {
+		try_prio("PFS", pfs_cs, normal_ciphers, __LINE__);
+		try_prio("NORMAL:+CIPHER-ALL", normal_cs, 11, __LINE__);	/* all (except null) */
+		try_prio("NORMAL:-CIPHER-ALL:+NULL", null, 1, __LINE__);	/* null */
+		try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL", normal_cs + null, 12, __LINE__);	/* should be null + all */
+		try_prio("NORMAL:-CIPHER-ALL:+NULL:+CIPHER-ALL:-CIPHER-ALL:+AES-128-CBC", 8, 1, __LINE__);	/* should be null + all */
+	}
+
 	try_prio("PERFORMANCE", normal_cs, normal_ciphers, __LINE__);
 	try_prio("SECURE256", sec256_cs, 6, __LINE__);
 	try_prio("SECURE128", sec128_cs, 11, __LINE__);
diff --git a/tests/record-sizes.c b/tests/record-sizes.c
index 1683da14f2..47cd5920b2 100644
--- a/tests/record-sizes.c
+++ b/tests/record-sizes.c
@@ -43,8 +43,6 @@ static void tls_log_func(int level, const char *str)
 /* This test attempts to transfer various sizes using ARCFOUR-128.
  */
 
-#ifndef ENABLE_FIPS140
-
 #define MAX_BUF 16384
 static char b1[MAX_BUF + 1];
 static char buffer[MAX_BUF + 1];
@@ -66,6 +64,10 @@ void doit(void)
 	ssize_t ns;
 	int ret, transferred = 0;
 
+	if (gnutls_fips140_mode_enabled()) {
+		exit(77);
+	}
+
 	/* General init. */
 	global_init();
 	gnutls_global_set_log_function(tls_log_func);
@@ -159,9 +161,3 @@ void doit(void)
 	gnutls_global_deinit();
 }
 
-#else
-void doit(void)
-{
-	exit(77);
-}
-#endif
diff --git a/tests/rng-no-onload.c b/tests/rng-no-onload.c
index 726b5fddf4..ac01be2144 100644
--- a/tests/rng-no-onload.c
+++ b/tests/rng-no-onload.c
@@ -32,7 +32,7 @@
 #include <gnutls/crypto.h>
 #include "utils.h"
 
-#if defined(ENABLE_FIPS140) || !defined(__linux__) || !defined(__GNUC__)
+#if !defined(__linux__) || !defined(__GNUC__)
 
 void doit(void)
 {
@@ -58,6 +58,10 @@ gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len)
 
 void doit(void)
 {
+	if (gnutls_fips140_mode_enabled()) {
+		exit(77);
+	}
+
 	global_init();
 
 	if (_rnd_called != 0)
diff --git a/tests/set_pkcs12_cred.c b/tests/set_pkcs12_cred.c
index 8e45047467..7f324bb41e 100644
--- a/tests/set_pkcs12_cred.c
+++ b/tests/set_pkcs12_cred.c
@@ -40,11 +40,9 @@ typedef struct {
 } files_st;
 
 files_st files[] = {
-#ifndef ENABLE_FIPS140
 	{"client.p12", "foobar"},
 	{"cert-ca.p12", "1234"}, /* 2 certs, one is a CA */
 	{"pkcs12_2certs.p12", ""}, /* 2 certs, on is unrelated */
-#endif
 	{NULL, NULL}
 };
 
@@ -56,6 +54,10 @@ void doit(void)
 	char file[512];
 	int ret;
 
+	if (gnutls_fips140_mode_enabled()) {
+		exit(77);
+	}
+
 	ret = global_init();
 	if (ret < 0)
 		fail("global_init failed %d\n", ret);
diff --git a/tests/suite/testcompat-openssl.sh b/tests/suite/testcompat-openssl.sh
index 096d3da7ee..cec0c7161e 100755
--- a/tests/suite/testcompat-openssl.sh
+++ b/tests/suite/testcompat-openssl.sh
@@ -32,6 +32,11 @@
 
 srcdir="${srcdir:-.}"
 
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
 if ! test -x /usr/bin/openssl; then
 	echo "You need openssl to run this test"
 	exit 77
diff --git a/tests/suite/testcompat-polarssl.sh b/tests/suite/testcompat-polarssl.sh
index 32e04f753b..4c7a493d17 100755
--- a/tests/suite/testcompat-polarssl.sh
+++ b/tests/suite/testcompat-polarssl.sh
@@ -34,6 +34,11 @@ srcdir="${srcdir:-.}"
 
 export TZ="UTC"
 
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
 # Check for datefudge
 TSTAMP=`datefudge "2006-09-23 00:00 UTC" date -u +%s 2>/dev/null`
 if test "${TSTAMP}" != "1158969600"; then
diff --git a/tests/suite/testpkcs11.sh b/tests/suite/testpkcs11.sh
index c49624870c..b3001ca1e6 100755
--- a/tests/suite/testpkcs11.sh
+++ b/tests/suite/testpkcs11.sh
@@ -26,6 +26,11 @@ SERV="${SERV:-../../src/gnutls-serv${EXEEXT}}"
 CLI="${CLI:-../../src/gnutls-cli${EXEEXT}}"
 RETCODE=0
 
+if test "${GNUTLS_FORCE_FIPS_MODE}" = 1;then
+	echo "Cannot run in FIPS140-2 mode"
+	exit 77
+fi
+
 if ! test -x "${P11TOOL}"; then
 	exit 77
 fi