mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-02-17 14:32:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

fipsinstall: add -self_test_oninstall option.

Browse Source 
This option runs the self tests at installation time.  It fails for the 3.1
module.

Also changed the default behaviour to that set by the -self_test_onload
option.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19510)
This commit is contained in:
Pauli 2022-10-26 13:51:02 +11:00
parent a11064c83b
commit 7057dddbcb
3 changed files with 58 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
apps/fipsinstall.c
View File

@ -38,7 +38,7 @@ typedef enum OPTION_choice {
OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
OPT_NO_CONDITIONAL_ERRORS,
OPT_NO_SECURITY_CHECKS,
OPT_SELF_TEST_ONLOAD
OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL
} OPTION_CHOICE;
const OPTIONS fipsinstall_options[] = {
@ -57,6 +57,8 @@ const OPTIONS fipsinstall_options[] = {
"Disable the run-time FIPS security checks in the module"},
{"self_test_onload", OPT_SELF_TEST_ONLOAD, '-',
"Forces self tests to always run on module load"},
{"self_test_oninstall", OPT_SELF_TEST_ONINSTALL, '-',
"Forces self tests to run once on module installation"},
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input config file, used when verifying"},
@ -100,12 +102,33 @@ static int load_fips_prov_and_run_self_test(const char *prov_name)
{
int ret = 0;
OSSL_PROVIDER *prov = NULL;
OSSL_PARAM params[4], *p = params;
char *name = "", *vers = "", *build = "";
prov = OSSL_PROVIDER_load(NULL, prov_name);
if (prov == NULL) {
BIO_printf(bio_err, "Failed to load FIPS module\n");
goto end;
}
if (!quiet) {
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_NAME,
&name, sizeof(name));
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION,
&vers, sizeof(vers));
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_BUILDINFO,
&build, sizeof(build));
*p = OSSL_PARAM_construct_end();
if (!OSSL_PROVIDER_get_params(prov, params)) {
BIO_printf(bio_err, "Failed to query FIPS module parameters\n");
goto end;
}
if (OSSL_PARAM_modified(params))
BIO_printf(bio_err, "\t%-10s\t%s\n", "name:", name);
if (OSSL_PARAM_modified(params + 1))
BIO_printf(bio_err, "\t%-10s\t%s\n", "version:", vers);
if (OSSL_PARAM_modified(params + 2))
BIO_printf(bio_err, "\t%-10s\t%s\n", "build:", build);
}
ret = 1;
end:
OSSL_PROVIDER_unload(prov);
@ -290,7 +313,7 @@ end:
int fipsinstall_main(int argc, char **argv)
{
int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 0;
int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 1;
int enable_conditional_errors = 1, enable_security_checks = 1;
const char *section_name = "fips_sect";
const char *mac_name = "HMAC";
@ -378,6 +401,9 @@ opthelp:
case OPT_SELF_TEST_ONLOAD:
self_test_onload = 1;
break;
case OPT_SELF_TEST_ONINSTALL:
self_test_onload = 0;
break;
}
}
@ -393,9 +419,10 @@ opthelp:
/* Test that a parent config can load the module */
if (verify_module_load(parent_config)) {
ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1;
if (!quiet)
if (!quiet) {
BIO_printf(bio_err, "FIPS provider is %s\n",
ret == 0 ? "available" : " not available");
}
}
goto end;
}

14
doc/man1/openssl-fipsinstall.pod.in
View File

@ -22,6 +22,7 @@ B<openssl fipsinstall>
[B<-no_conditional_errors>]
[B<-no_security_checks>]
[B<-self_test_onload>]
[B<-self_test_oninstall>]
[B<-corrupt_desc> I<selftest_description>]
[B<-corrupt_type> I<selftest_type>]
[B<-config> I<parent_config>]
@ -174,6 +175,14 @@ target machine. Once the self tests have run on the target machine the user
could possibly then add the 2 fields into the configuration using some other
mechanism.
This is the default.
=item B<-self_test_oninstall>
The converse of B<-self_test_oninstall>. The two fields related to the
"test status indicator" and "MAC status indicator" are written to the
output configuration file.
=item B<-quiet>
Do not output pass/fail messages. Implies B<-noout>.
@ -209,6 +218,11 @@ test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignore
For normal usage the base configuration file should use the default provider
when generating the fips configuration file.
The B<-self_test_oninstall> option was added and the
B<-self_test_onload> option was made the default in OpenSSL 3.1.
The command and all remaining options were added in OpenSSL 3.0.
=head1 EXAMPLES
Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test

16
test/recipes/03-test_fipsinstall.t
View File

@ -24,7 +24,7 @@ use platform;
plan skip_all => "Test only supported in a fips build" if disabled("fips");
plan tests => 30;
plan tests => 31;
my $infile = bldtop_file('providers', platform->dso('fips'));
my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
@ -239,7 +239,7 @@ SKIP: {
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_sect',
'-section_name', 'fips_sect', '-self_test_oninstall',
'-corrupt_desc', 'DSA',
'-corrupt_type', 'KAT_Signature'])),
"fipsinstall fails when the signature result is corrupted");
@ -338,3 +338,15 @@ SKIP: {
'-module', $infile, '-self_test_onload', '-verify'])),
"fipsinstall config verify passes when self test indicator is not present");
}
SKIP: {
run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
capture => 1, statusvar => \my $exit);
skip "FIPS provider version can run self tests on install", 1
if !$exit;
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
'-section_name', 'fips_sect', '-self_test_oninstall'])),
"fipsinstall fails when attempting to run self tests on install");
}