From 7057dddbcb5e053470121adeff0b6595fa6da0d8 Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Wed, 26 Oct 2022 13:51:02 +1100
Subject: [PATCH] fipsinstall: add -self_test_oninstall option.

This option runs the self tests at installation time.  It fails for the 3.1
module.

Also changed the default behaviour to that set by the -self_test_onload
option.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19510)
---
 apps/fipsinstall.c                  | 33 ++++++++++++++++++++++++++---
 doc/man1/openssl-fipsinstall.pod.in | 14 ++++++++++++
 test/recipes/03-test_fipsinstall.t  | 16 ++++++++++++--
 3 files changed, 58 insertions(+), 5 deletions(-)

diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index 5af007083a..5198e0863e 100644
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -38,7 +38,7 @@ typedef enum OPTION_choice {
     OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
     OPT_NO_CONDITIONAL_ERRORS,
     OPT_NO_SECURITY_CHECKS,
-    OPT_SELF_TEST_ONLOAD
+    OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL
 } OPTION_CHOICE;
 
 const OPTIONS fipsinstall_options[] = {
@@ -57,6 +57,8 @@ const OPTIONS fipsinstall_options[] = {
      "Disable the run-time FIPS security checks in the module"},
     {"self_test_onload", OPT_SELF_TEST_ONLOAD, '-',
      "Forces self tests to always run on module load"},
+    {"self_test_oninstall", OPT_SELF_TEST_ONINSTALL, '-',
+     "Forces self tests to run once on module installation"},
     OPT_SECTION("Input"),
     {"in", OPT_IN, '<', "Input config file, used when verifying"},
 
@@ -100,12 +102,33 @@ static int load_fips_prov_and_run_self_test(const char *prov_name)
 {
     int ret = 0;
     OSSL_PROVIDER *prov = NULL;
+    OSSL_PARAM params[4], *p = params;
+    char *name = "", *vers = "", *build = "";
 
     prov = OSSL_PROVIDER_load(NULL, prov_name);
     if (prov == NULL) {
         BIO_printf(bio_err, "Failed to load FIPS module\n");
         goto end;
     }
+    if (!quiet) {
+        *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_NAME,
+                                             &name, sizeof(name));
+        *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION,
+                                             &vers, sizeof(vers));
+        *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_BUILDINFO,
+                                             &build, sizeof(build));
+        *p = OSSL_PARAM_construct_end();
+        if (!OSSL_PROVIDER_get_params(prov, params)) {
+            BIO_printf(bio_err, "Failed to query FIPS module parameters\n");
+            goto end;
+        }
+        if (OSSL_PARAM_modified(params))
+            BIO_printf(bio_err, "\t%-10s\t%s\n", "name:", name);
+        if (OSSL_PARAM_modified(params + 1))
+            BIO_printf(bio_err, "\t%-10s\t%s\n", "version:", vers);
+        if (OSSL_PARAM_modified(params + 2))
+            BIO_printf(bio_err, "\t%-10s\t%s\n", "build:", build);
+    }
     ret = 1;
 end:
     OSSL_PROVIDER_unload(prov);
@@ -290,7 +313,7 @@ end:
 
 int fipsinstall_main(int argc, char **argv)
 {
-    int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 0;
+    int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 1;
     int enable_conditional_errors = 1, enable_security_checks = 1;
     const char *section_name = "fips_sect";
     const char *mac_name = "HMAC";
@@ -378,6 +401,9 @@ opthelp:
         case OPT_SELF_TEST_ONLOAD:
             self_test_onload = 1;
             break;
+        case OPT_SELF_TEST_ONINSTALL:
+            self_test_onload = 0;
+            break;
         }
     }
 
@@ -393,9 +419,10 @@ opthelp:
         /* Test that a parent config can load the module */
         if (verify_module_load(parent_config)) {
             ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1;
-            if (!quiet)
+            if (!quiet) {
                 BIO_printf(bio_err, "FIPS provider is %s\n",
                            ret == 0 ? "available" : " not available");
+            }
         }
         goto end;
     }
diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in
index 97e2ae910c..af18f361e6 100644
--- a/doc/man1/openssl-fipsinstall.pod.in
+++ b/doc/man1/openssl-fipsinstall.pod.in
@@ -22,6 +22,7 @@ B<openssl fipsinstall>
 [B<-no_conditional_errors>]
 [B<-no_security_checks>]
 [B<-self_test_onload>]
+[B<-self_test_oninstall>]
 [B<-corrupt_desc> I<selftest_description>]
 [B<-corrupt_type> I<selftest_type>]
 [B<-config> I<parent_config>]
@@ -174,6 +175,14 @@ target machine. Once the self tests have run on the target machine the user
 could possibly then add the 2 fields into the configuration using some other
 mechanism.
 
+This is the default.
+
+=item B<-self_test_oninstall>
+
+The converse of B<-self_test_oninstall>.  The two fields related to the
+"test status indicator" and "MAC status indicator" are written to the
+output configuration file.
+
 =item B<-quiet>
 
 Do not output pass/fail messages. Implies B<-noout>.
@@ -209,6 +218,11 @@ test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignore
 For normal usage the base configuration file should use the default provider
 when generating the fips configuration file.
 
+The B<-self_test_oninstall> option was added and the
+B<-self_test_onload> option was made the default in OpenSSL 3.1.
+
+The command and all remaining options were added in OpenSSL 3.0.
+
 =head1 EXAMPLES
 
 Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t
index 29a6ccfe59..b5f91ed621 100644
--- a/test/recipes/03-test_fipsinstall.t
+++ b/test/recipes/03-test_fipsinstall.t
@@ -24,7 +24,7 @@ use platform;
 
 plan skip_all => "Test only supported in a fips build" if disabled("fips");
 
-plan tests => 30;
+plan tests => 31;
 
 my $infile = bldtop_file('providers', platform->dso('fips'));
 my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
@@ -239,7 +239,7 @@ SKIP: {
     ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
                 '-provider_name', 'fips', '-mac_name', 'HMAC',
                 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
-                '-section_name', 'fips_sect',
+                '-section_name', 'fips_sect', '-self_test_oninstall',
                 '-corrupt_desc', 'DSA',
                 '-corrupt_type', 'KAT_Signature'])),
        "fipsinstall fails when the signature result is corrupted");
@@ -338,3 +338,15 @@ SKIP: {
                 '-module', $infile, '-self_test_onload', '-verify'])),
            "fipsinstall config verify passes when self test indicator is not present");
 }
+
+SKIP: {
+    run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
+             capture => 1, statusvar => \my $exit);
+    skip "FIPS provider version can run self tests on install", 1
+        if !$exit;
+    ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
+                '-provider_name', 'fips', '-mac_name', 'HMAC',
+                '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
+                '-section_name', 'fips_sect', '-self_test_oninstall'])),
+       "fipsinstall fails when attempting to run self tests on install");
+}