FipsStatusTest handles AWS-LC built without FIPS_BREAK_TEST

WillChilds-Klein · WillChilds-Klein · commit 3d15b97be09b · 2025-03-12T20:07:56.000Z
diff --git a/README.md b/README.md
@@ -134,6 +134,7 @@ ACCP did not track a FIPS branch/release version of AWS-LC until ACCP v2.3.0. Be
 | 2.4.0               | 1.30.1         | 2.0.13              |
 | 2.4.1               | 1.30.1         | 2.0.13              |
 | 2.5.0               | 1.47.0         | 3.0.0               |
+| 2.6.0               | 1.48.2         | 3.0.0               |
 
 Notable differences between ACCP and ACCP-FIPS:
 * ACCP uses [the latest release of AWS-LC](https://github.com/aws/aws-lc/releases), whereas, ACCP-FIPS uses [the fips-2022-11-02 branch of AWS-LC](https://github.com/aws/aws-lc/tree/fips-2022-11-02).
diff --git a/aws-lc b/aws-lc
@@ -1 +1 @@
-Subproject commit b596787531313454fd538f7d207a63d34b072963
+Subproject commit 7bca7e96fab19e4857b70082fa4c759ff0119e12
diff --git a/build.gradle b/build.gradle
@@ -14,7 +14,7 @@ plugins {
 
 group = 'software.amazon.cryptools'
 version = '2.5.0'
-ext.awsLcMainTag = 'v1.47.0'
+ext.awsLcMainTag = 'v1.48.2'
 ext.awsLcFipsTag = 'AWS-LC-FIPS-3.0.0'
 ext.isExperimentalFips = Boolean.getBoolean('EXPERIMENTAL_FIPS')
 ext.isFips = ext.isExperimentalFips || Boolean.getBoolean('FIPS')
@@ -260,7 +260,7 @@ task buildAwsLc {
                 args '-DCMAKE_BUILD_TYPE=RelWithDebInfo'
                 args "-DCMAKE_INSTALL_PREFIX=${sharedObjectOutDir}"
                 args "-DCMAKE_VERBOSE_MAKEFILE:BOOL=ON"
-
+                def cmakeCFlags = ""
 
                 if (isFips) {
                     println "Building AWS-LC in FIPS mode"
@@ -269,14 +269,16 @@ task buildAwsLc {
 
                 if (allowFipsTestBreak) {
                     println "Building AWS-LC with hooks to break FIPS tests"
-                    args '-DFIPS_BREAK_TEST=TESTS'
+                    cmakeCFlags += '-DBORINGSSL_FIPS_BREAK_TESTS '
                 }
 
                 if (isFipsSelfTestFailureSkipAbort) {
                     println "Building AWS-LC to call callback instead of aborting on self-test failure"
-                    args '-DCMAKE_C_FLAGS="-DAWSLC_FIPS_FAILURE_CALLBACK"'
+                    cmakeCFlags += '-DAWSLC_FIPS_FAILURE_CALLBACK '
                 }
 
+                args "-DCMAKE_C_FLAGS='${cmakeCFlags}'"
+
                 args '.'
             }
         }
diff --git a/tst/com/amazon/corretto/crypto/provider/test/FipsStatusTest.java b/tst/com/amazon/corretto/crypto/provider/test/FipsStatusTest.java
@@ -28,7 +28,7 @@
 @ResourceLock(value = TestUtil.RESOURCE_GLOBAL, mode = ResourceAccessMode.READ_WRITE)
 public class FipsStatusTest {
 
-  private final AmazonCorrettoCryptoProvider provider = AmazonCorrettoCryptoProvider.INSTANCE;
+  private static final AmazonCorrettoCryptoProvider provider = AmazonCorrettoCryptoProvider.INSTANCE;
   private static final String PWCT_BREAKAGE_ENV_VAR = "BORINGSSL_FIPS_BREAK_TEST";
 
   @Test
@@ -55,18 +55,30 @@ public void givenAccpBuiltWithFips_whenAWS_LC_fips_failure_callback_expectExcept
     }
   }
 
-  private void testPwctBreakage(final String algo, String envVarValue) throws Exception {
+  // Key generation should ~never fail under normal conditions, so consider a breakage to
+  // indicate that AWS-LC was built with the FIPS_BREAK_TEST build flag set.
+  private static boolean awsLcIsBuiltWitFipshBreakTest() throws Exception {
+    final String algorithm = "RSA";
+    KeyPairGenerator kpg = KeyPairGenerator.getInstance(algorithm, provider);
+    TestUtil.setEnv(PWCT_BREAKAGE_ENV_VAR, String.format("%s_PWCT", algorithm));
+    try {
+        kpg.generateKeyPair();
+    } catch (RuntimeCryptoException e) {
+        return true;
+    } finally {
+        TestUtil.setEnv(PWCT_BREAKAGE_ENV_VAR, null);
+    }
+    return false;
+  }
+
+  private static void testPwctBreakage(final String algo, String envVarValue) throws Exception {
     NativeTestHooks.resetFipsStatus();
     final KeyPairGenerator kpg = KeyPairGenerator.getInstance(algo, provider);
     assertTrue(provider.isFipsStatusOk());
     // Set PWCT_BREAKAGE_ENV_VAR for desired keygen test to break it
     TestUtil.setEnv(PWCT_BREAKAGE_ENV_VAR, envVarValue);
     // Key generation should now fail
-    if ("Ed25519".equals(algo)) { // TODO: Remove after https://github.com/aws/aws-lc/pull/2256
-      assertNotNull(kpg.generateKeyPair());
-    } else {
-      assertThrows(RuntimeCryptoException.class, () -> kpg.generateKeyPair());
-    }
+    assertThrows(RuntimeCryptoException.class, () -> kpg.generateKeyPair());
     // Global FIPS status should not be OK, and we shouldn't be able to get more KPG instances
     assertTrue(provider.getFipsSelfTestFailures().size() > 0);
     assertFalse(provider.isFipsStatusOk());
@@ -86,12 +98,10 @@ private void testPwctBreakage(final String algo, String envVarValue) throws Exce
   public void testPwctBreakageSkipAbort() throws Exception {
     assumeTrue(provider.isFips());
     assumeTrue(provider.isFipsSelfTestFailureSkipAbort());
+    assumeTrue(awsLcIsBuiltWitFipshBreakTest());
     testPwctBreakage("RSA", "RSA_PWCT");
     testPwctBreakage("EC", "ECDSA_PWCT");
-    // TODO: remove check after https://github.com/corretto/amazon-corretto-crypto-provider/pull/438
-    if (TestUtil.getJavaVersion() >= 15) {
-      testPwctBreakage("Ed25519", "EDDSA_PWCT");
-    }
+    testPwctBreakage("Ed25519", "EDDSA_PWCT");
     if (provider.isExperimentalFips()) { // can be removed when AWS-LC-FIPS supports ML-DSA
       testPwctBreakage("ML-DSA", "MLDSA_PWCT");
     }
