2019-08-24 16:56:34 +08:00
|
|
|
#! /usr/bin/env perl
|
|
|
|
|
# Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
|
|
|
#
|
|
|
|
|
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
|
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
# in the file LICENSE in the source distribution or at
|
|
|
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
|
use warnings;
|
|
|
|
|
|
|
|
|
|
use File::Spec;
|
|
|
|
|
use File::Copy;
|
|
|
|
|
use OpenSSL::Glob;
|
|
|
|
|
use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file/;
|
|
|
|
|
use OpenSSL::Test::Utils;
|
|
|
|
|
|
|
|
|
|
BEGIN {
|
|
|
|
|
setup("test_fipsinstall");
|
|
|
|
|
}
|
|
|
|
|
use lib srctop_dir('Configurations');
|
|
|
|
|
use lib bldtop_dir('.');
|
|
|
|
|
use platform;
|
|
|
|
|
|
|
|
|
|
plan skip_all => "Test only supported in a fips build" if disabled("fips");
|
|
|
|
|
|
2020-01-31 05:53:04 +08:00
|
|
|
plan tests => 10;
|
2019-08-24 16:56:34 +08:00
|
|
|
|
|
|
|
|
my $infile = bldtop_file('providers', platform->dso('fips'));
|
|
|
|
|
$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
|
|
|
|
|
|
2019-11-23 15:54:29 +08:00
|
|
|
# fail if no module name
|
2020-02-26 02:25:13 +08:00
|
|
|
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module',
|
2019-08-24 16:56:34 +08:00
|
|
|
'-provider_name', 'fips',
|
|
|
|
|
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
|
|
|
|
|
'-section_name', 'fips_install'])),
|
2019-11-23 15:54:29 +08:00
|
|
|
"fipsinstall fail");
|
2019-08-24 16:56:34 +08:00
|
|
|
|
2019-11-23 15:54:29 +08:00
|
|
|
# fail to verify if the configuration file is missing
|
2019-08-24 16:56:34 +08:00
|
|
|
ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile,
|
|
|
|
|
'-provider_name', 'fips', '-mac_name', 'HMAC',
|
|
|
|
|
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
|
|
|
|
|
'-section_name', 'fips_install', '-verify'])),
|
2019-11-23 15:54:29 +08:00
|
|
|
"fipsinstall verify fail");
|
2019-08-24 16:56:34 +08:00
|
|
|
|
|
|
|
|
|
2020-02-26 02:25:13 +08:00
|
|
|
# output a fips.cnf file containing mac data
|
|
|
|
|
ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
|
2019-08-24 16:56:34 +08:00
|
|
|
'-provider_name', 'fips', '-mac_name', 'HMAC',
|
|
|
|
|
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
|
|
|
|
|
'-section_name', 'fips_install'])),
|
2019-11-23 15:54:29 +08:00
|
|
|
"fipsinstall");
|
2019-08-24 16:56:34 +08:00
|
|
|
|
2020-02-26 02:25:13 +08:00
|
|
|
# verify the fips.cnf file
|
|
|
|
|
ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
|
2019-08-24 16:56:34 +08:00
|
|
|
'-provider_name', 'fips', '-mac_name', 'HMAC',
|
|
|
|
|
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
|
|
|
|
|
'-section_name', 'fips_install', '-verify'])),
|
2019-11-23 15:54:29 +08:00
|
|
|
"fipsinstall verify");
|
2019-08-24 16:56:34 +08:00
|
|
|
|
2020-02-26 02:25:13 +08:00
|
|
|
# fail to verify the fips.cnf file if a different key is used
|
|
|
|
|
ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
|
2019-08-24 16:56:34 +08:00
|
|
|
'-provider_name', 'fips', '-mac_name', 'HMAC',
|
|
|
|
|
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:01',
|
|
|
|
|
'-section_name', 'fips_install', '-verify'])),
|
2019-11-23 15:54:29 +08:00
|
|
|
"fipsinstall verify fail bad key");
|
2019-08-24 16:56:34 +08:00
|
|
|
|
2020-02-26 02:25:13 +08:00
|
|
|
# fail to verify the fips.cnf file if a different mac digest is used
|
|
|
|
|
ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
|
2019-08-24 16:56:34 +08:00
|
|
|
'-provider_name', 'fips', '-mac_name', 'HMAC',
|
|
|
|
|
'-macopt', 'digest:SHA512', '-macopt', 'hexkey:00',
|
|
|
|
|
'-section_name', 'fips_install', '-verify'])),
|
2019-11-23 15:54:29 +08:00
|
|
|
"fipsinstall verify fail incorrect digest");
|
2020-01-15 08:48:01 +08:00
|
|
|
|
|
|
|
|
# corrupt the module hmac
|
2020-02-26 02:25:13 +08:00
|
|
|
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
|
2020-01-15 08:48:01 +08:00
|
|
|
'-provider_name', 'fips', '-mac_name', 'HMAC',
|
|
|
|
|
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
|
|
|
|
|
'-section_name', 'fips_install', '-corrupt_desc', 'HMAC'])),
|
|
|
|
|
"fipsinstall fails when the module integrity is corrupted");
|
|
|
|
|
|
|
|
|
|
# corrupt the first digest
|
2020-02-26 02:25:13 +08:00
|
|
|
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
|
2020-01-15 08:48:01 +08:00
|
|
|
'-provider_name', 'fips', '-mac_name', 'HMAC',
|
|
|
|
|
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
|
|
|
|
|
'-section_name', 'fips_install', '-corrupt_desc', 'SHA1'])),
|
|
|
|
|
"fipsinstall fails when the digest result is corrupted");
|
|
|
|
|
|
|
|
|
|
# corrupt another digest
|
2020-02-26 02:25:13 +08:00
|
|
|
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
|
2020-01-15 08:48:01 +08:00
|
|
|
'-provider_name', 'fips', '-mac_name', 'HMAC',
|
|
|
|
|
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
|
|
|
|
|
'-section_name', 'fips_install', '-corrupt_desc', 'SHA3'])),
|
|
|
|
|
"fipsinstall fails when the digest result is corrupted");
|
2020-01-31 05:53:04 +08:00
|
|
|
|
|
|
|
|
# corrupt DRBG
|
2020-02-26 02:25:13 +08:00
|
|
|
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
|
2020-01-31 05:53:04 +08:00
|
|
|
'-provider_name', 'fips', '-mac_name', 'HMAC',
|
|
|
|
|
'-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
|
|
|
|
|
'-section_name', 'fips_install', '-corrupt_desc', 'CTR'])),
|
|
|
|
|
"fipsinstall fails when the DRBG CTR result is corrupted");
|
