From 2a7075cb8220a430b307659196672633b014e15d Mon Sep 17 00:00:00 2001 From: Shubham Mittal Date: Thu, 19 Jun 2025 14:48:22 -0700 Subject: [PATCH 1/3] add initial test for snapsafe testing --- .../fipsmodule/rand/snapsafe_detect_test.cc | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/crypto/fipsmodule/rand/snapsafe_detect_test.cc b/crypto/fipsmodule/rand/snapsafe_detect_test.cc index 666b8e9539..a6ac0da949 100644 --- a/crypto/fipsmodule/rand/snapsafe_detect_test.cc +++ b/crypto/fipsmodule/rand/snapsafe_detect_test.cc @@ -90,6 +90,32 @@ TEST(SnapsafeGenerationTest, DISABLED_SysGenIDretrievalTesting) { EXPECT_EQ(new_sysgenid_value_hint, current_snapsafe_gen_num); } } + +// This test verifies that AWS-LC properly handles the case where /dev/sysgenid +// exists but cannot be opened due to permission restrictions. +TEST(SnapsafePermissionTest, DISABLED_PermissionDeniedTest) { + ASSERT_TRUE(HAZMAT_init_sysgenid_file()); + + // Verify the file was created and initially accessible + const char* sysgenid_path = CRYPTO_get_sysgenid_path(); + struct stat file_stat; + ASSERT_EQ(0, stat(sysgenid_path, &file_stat)); + + // Change permissions to make the file unreadable + ASSERT_EQ(0, chmod(sysgenid_path, 0000)); + + // Should return 1 because the file exists (stat() succeeds) + EXPECT_EQ(1, CRYPTO_get_snapsafe_supported()); + + // Should return 0 because initialization failed (open() failed) + EXPECT_EQ(0, CRYPTO_get_snapsafe_active()); + + // Should return 0 (failure) and set generation number to 0 + uint32_t gen_num = 0xFFFFFFFF; + EXPECT_EQ(0, CRYPTO_get_snapsafe_generation(&gen_num)); + EXPECT_EQ(0U, gen_num); +} + #elif defined(OPENSSL_LINUX) TEST(SnapsafeGenerationTest, SysGenIDretrievalLinux) { uint32_t current_snapsafe_gen_num = 0xffffffff; From c8bf6f8daa03b1f20af60b3abdfba0aca3cf7518 Mon Sep 17 00:00:00 2001 From: Shubham Mittal Date: Thu, 19 Jun 2025 14:59:01 -0700 Subject: [PATCH 2/3] plumb new test to all_tests.json --- crypto/fipsmodule/rand/snapsafe_detect_test.cc | 9 +++------ util/all_tests.json | 6 ++++++ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/crypto/fipsmodule/rand/snapsafe_detect_test.cc b/crypto/fipsmodule/rand/snapsafe_detect_test.cc index a6ac0da949..a1f1afbb62 100644 --- a/crypto/fipsmodule/rand/snapsafe_detect_test.cc +++ b/crypto/fipsmodule/rand/snapsafe_detect_test.cc @@ -94,20 +94,17 @@ TEST(SnapsafeGenerationTest, DISABLED_SysGenIDretrievalTesting) { // This test verifies that AWS-LC properly handles the case where /dev/sysgenid // exists but cannot be opened due to permission restrictions. TEST(SnapsafePermissionTest, DISABLED_PermissionDeniedTest) { - ASSERT_TRUE(HAZMAT_init_sysgenid_file()); - // Verify the file was created and initially accessible + ASSERT_TRUE(HAZMAT_init_sysgenid_file()); const char* sysgenid_path = CRYPTO_get_sysgenid_path(); struct stat file_stat; ASSERT_EQ(0, stat(sysgenid_path, &file_stat)); - // Change permissions to make the file unreadable + // Make file unreadable by anyone ASSERT_EQ(0, chmod(sysgenid_path, 0000)); - // Should return 1 because the file exists (stat() succeeds) + // There is support, but it's not active due to read failure EXPECT_EQ(1, CRYPTO_get_snapsafe_supported()); - - // Should return 0 because initialization failed (open() failed) EXPECT_EQ(0, CRYPTO_get_snapsafe_active()); // Should return 0 (failure) and set generation number to 0 diff --git a/util/all_tests.json b/util/all_tests.json index 246b5af026..0cf06a7fad 100644 --- a/util/all_tests.json +++ b/util/all_tests.json @@ -57,6 +57,12 @@ "skip_valgrind": true, "shard": false }, + { + "comment": "Run snapsafe permissions test suite", + "cmd": ["crypto/crypto_test", "--gtest_also_run_disabled_tests", "--gtest_filter=SnapsafePermissionTest.*"], + "skip_valgrind": true, + "shard": false + }, { "comment": "Potentially with RDRAND, but not Intel", "cmd": ["crypto/urandom_test"], From e34cb497c1b68d2811b7a24e47e263ea2322317a Mon Sep 17 00:00:00 2001 From: Shubham Mittal Date: Thu, 19 Jun 2025 16:16:37 -0700 Subject: [PATCH 3/3] get rid of reinit and change test order --- crypto/fipsmodule/rand/snapsafe_detect_test.cc | 1 - util/all_tests.json | 8 ++++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/crypto/fipsmodule/rand/snapsafe_detect_test.cc b/crypto/fipsmodule/rand/snapsafe_detect_test.cc index a1f1afbb62..e1ec097c7a 100644 --- a/crypto/fipsmodule/rand/snapsafe_detect_test.cc +++ b/crypto/fipsmodule/rand/snapsafe_detect_test.cc @@ -95,7 +95,6 @@ TEST(SnapsafeGenerationTest, DISABLED_SysGenIDretrievalTesting) { // exists but cannot be opened due to permission restrictions. TEST(SnapsafePermissionTest, DISABLED_PermissionDeniedTest) { // Verify the file was created and initially accessible - ASSERT_TRUE(HAZMAT_init_sysgenid_file()); const char* sysgenid_path = CRYPTO_get_sysgenid_path(); struct stat file_stat; ASSERT_EQ(0, stat(sysgenid_path, &file_stat)); diff --git a/util/all_tests.json b/util/all_tests.json index 0cf06a7fad..f4a1398c0f 100644 --- a/util/all_tests.json +++ b/util/all_tests.json @@ -52,14 +52,14 @@ "target_arch": "x86" }, { - "comment": "Run snapsafe detection test suite", - "cmd": ["crypto/crypto_test", "--gtest_also_run_disabled_tests", "--gtest_filter=SnapsafeGenerationTest.*"], + "comment": "Run snapsafe permissions test suite", + "cmd": ["crypto/crypto_test", "--gtest_also_run_disabled_tests", "--gtest_filter=SnapsafePermissionTest.*"], "skip_valgrind": true, "shard": false }, { - "comment": "Run snapsafe permissions test suite", - "cmd": ["crypto/crypto_test", "--gtest_also_run_disabled_tests", "--gtest_filter=SnapsafePermissionTest.*"], + "comment": "Run snapsafe detection test suite", + "cmd": ["crypto/crypto_test", "--gtest_also_run_disabled_tests", "--gtest_filter=SnapsafeGenerationTest.*"], "skip_valgrind": true, "shard": false },