aead_fips.rs - mozsearch

Enable keyboard shortcuts

// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or

// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license

// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your

// option. This file may not be copied, modified, or distributed

// except according to those terms.

//! Tests for the blapi backend running under a FIPS-mode NSS database.

//!

//! The blapi feature calls freebl directly, bypassing softoken's FIPS

//! enforcement layer (intentional — see `src/freebl.rs`).  This means blapi

//! AEAD operations must succeed regardless of FIPS mode; FIPS enforcement is

//! a PKCS#11/softoken concern, not a freebl concern.

//!

//! Each test file in `tests/` compiles to an independent binary, so

//! `fixture_init_fips` runs before any other NSS initialization in this suite.

#![cfg(feature = "blapi")]

#![cfg(not(feature = "disable-encryption"))]

use nss_rs::constants::{

    TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256,

};

use test_fixture::fixture_init_fips;

mod common;

/// Verify that blapi AEAD works with all three TLS 1.3 cipher suites when NSS

/// is in FIPS mode.  blapi bypasses PKCS#11 FIPS enforcement entirely, so the

/// cipher suites work regardless of whether they are individually FIPS-approved.

#[test]

fn blapi_fips_roundtrip() {

    if !fixture_init_fips() {

        // Non-certified NSS build (e.g. macOS Homebrew): FIPS HMAC check fails.

        // This test is meaningful only on a FIPS-capable NSS installation.

        println!("SKIP: NSS FIPS mode not available on this platform");

        return;

    let secret = common::import_secret();

    for cipher in [

        TLS_AES_128_GCM_SHA256,

        TLS_AES_256_GCM_SHA384,

        TLS_CHACHA20_POLY1305_SHA256,

] {

        common::roundtrip(&secret, cipher);