mirror of
https://github.com/openssl/openssl.git
synced 2024-12-21 06:09:35 +08:00
01244adfc6
Fixes #23400 The 3.1 FIPS provider no longer writes out the 'status indicator' by default due to changes related to FIPS 140-3 requirements. For Backwards compatability if the fipsinstall detects it is loading a 3.0.X FIPS provider then it will save the 'status indicator' by default. Disclaimer: Using a fipsinstall command line utility that is not supplied with the FIPS provider tarball source is not recommended. This PR deliberately does not attempt to exclude any additional options that were added after 3.0.X. These additional options will be ignored by older providers. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Hugo Landau <hlandau@devever.net> (Merged from https://github.com/openssl/openssl/pull/23689)
978 lines
36 KiB
C
978 lines
36 KiB
C
/*
|
|
* Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
#include <openssl/evp.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/provider.h>
|
|
#include <openssl/params.h>
|
|
#include <openssl/fips_names.h>
|
|
#include <openssl/core_names.h>
|
|
#include <openssl/self_test.h>
|
|
#include <openssl/fipskey.h>
|
|
#include "apps.h"
|
|
#include "progs.h"
|
|
|
|
#define BUFSIZE 4096
|
|
|
|
/* Configuration file values */
|
|
#define VERSION_KEY "version"
|
|
#define VERSION_VAL "1"
|
|
#define INSTALL_STATUS_VAL "INSTALL_SELF_TEST_KATS_RUN"
|
|
|
|
static OSSL_CALLBACK self_test_events;
|
|
static char *self_test_corrupt_desc = NULL;
|
|
static char *self_test_corrupt_type = NULL;
|
|
static int self_test_log = 1;
|
|
static int quiet = 0;
|
|
|
|
typedef enum OPTION_choice {
|
|
OPT_COMMON,
|
|
OPT_IN, OPT_OUT, OPT_MODULE, OPT_PEDANTIC,
|
|
OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
|
|
OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
|
|
OPT_NO_CONDITIONAL_ERRORS,
|
|
OPT_NO_SECURITY_CHECKS,
|
|
OPT_TLS_PRF_EMS_CHECK, OPT_NO_SHORT_MAC,
|
|
OPT_DISALLOW_PKCS15_PADDING, OPT_RSA_PSS_SALTLEN_CHECK,
|
|
OPT_DISALLOW_SIGNATURE_X931_PADDING,
|
|
OPT_HMAC_KEY_CHECK, OPT_KMAC_KEY_CHECK,
|
|
OPT_DISALLOW_DRGB_TRUNC_DIGEST,
|
|
OPT_SIGNATURE_DIGEST_CHECK,
|
|
OPT_HKDF_DIGEST_CHECK,
|
|
OPT_TLS13_KDF_DIGEST_CHECK,
|
|
OPT_TLS1_PRF_DIGEST_CHECK,
|
|
OPT_SSHKDF_DIGEST_CHECK,
|
|
OPT_SSKDF_DIGEST_CHECK,
|
|
OPT_X963KDF_DIGEST_CHECK,
|
|
OPT_DISALLOW_DSA_SIGN,
|
|
OPT_DISALLOW_TDES_ENCRYPT,
|
|
OPT_HKDF_KEY_CHECK,
|
|
OPT_KBKDF_KEY_CHECK,
|
|
OPT_TLS13_KDF_KEY_CHECK,
|
|
OPT_TLS1_PRF_KEY_CHECK,
|
|
OPT_SSHKDF_KEY_CHECK,
|
|
OPT_SSKDF_KEY_CHECK,
|
|
OPT_X963KDF_KEY_CHECK,
|
|
OPT_X942KDF_KEY_CHECK,
|
|
OPT_NO_PBKDF2_LOWER_BOUND_CHECK,
|
|
OPT_ECDH_COFACTOR_CHECK,
|
|
OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL
|
|
} OPTION_CHOICE;
|
|
|
|
const OPTIONS fipsinstall_options[] = {
|
|
OPT_SECTION("General"),
|
|
{"help", OPT_HELP, '-', "Display this summary"},
|
|
{"pedantic", OPT_PEDANTIC, '-', "Set options for strict FIPS compliance"},
|
|
{"verify", OPT_VERIFY, '-',
|
|
"Verify a config file instead of generating one"},
|
|
{"module", OPT_MODULE, '<', "File name of the provider module"},
|
|
{"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"},
|
|
{"section_name", OPT_SECTION_NAME, 's',
|
|
"FIPS Provider config section name (optional)"},
|
|
{"no_conditional_errors", OPT_NO_CONDITIONAL_ERRORS, '-',
|
|
"Disable the ability of the fips module to enter an error state if"
|
|
" any conditional self tests fail"},
|
|
{"no_security_checks", OPT_NO_SECURITY_CHECKS, '-',
|
|
"Disable the run-time FIPS security checks in the module"},
|
|
{"self_test_onload", OPT_SELF_TEST_ONLOAD, '-',
|
|
"Forces self tests to always run on module load"},
|
|
{"self_test_oninstall", OPT_SELF_TEST_ONINSTALL, '-',
|
|
"Forces self tests to run once on module installation"},
|
|
{"ems_check", OPT_TLS_PRF_EMS_CHECK, '-',
|
|
"Enable the run-time FIPS check for EMS during TLS1_PRF"},
|
|
{"no_short_mac", OPT_NO_SHORT_MAC, '-', "Disallow short MAC output"},
|
|
{"no_drbg_truncated_digests", OPT_DISALLOW_DRGB_TRUNC_DIGEST, '-',
|
|
"Disallow truncated digests with Hash and HMAC DRBGs"},
|
|
{"signature_digest_check", OPT_SIGNATURE_DIGEST_CHECK, '-',
|
|
"Enable checking for approved digests for signatures"},
|
|
{"hmac_key_check", OPT_HMAC_KEY_CHECK, '-', "Enable key check for HMAC"},
|
|
{"kmac_key_check", OPT_KMAC_KEY_CHECK, '-', "Enable key check for KMAC"},
|
|
{"hkdf_digest_check", OPT_HKDF_DIGEST_CHECK, '-',
|
|
"Enable digest check for HKDF"},
|
|
{"tls13_kdf_digest_check", OPT_TLS13_KDF_DIGEST_CHECK, '-',
|
|
"Enable digest check for TLS13-KDF"},
|
|
{"tls1_prf_digest_check", OPT_TLS1_PRF_DIGEST_CHECK, '-',
|
|
"Enable digest check for TLS1-PRF"},
|
|
{"sshkdf_digest_check", OPT_SSHKDF_DIGEST_CHECK, '-',
|
|
"Enable digest check for SSHKDF"},
|
|
{"sskdf_digest_check", OPT_SSKDF_DIGEST_CHECK, '-',
|
|
"Enable digest check for SSKDF"},
|
|
{"x963kdf_digest_check", OPT_X963KDF_DIGEST_CHECK, '-',
|
|
"Enable digest check for X963KDF"},
|
|
{"dsa_sign_disabled", OPT_DISALLOW_DSA_SIGN, '-',
|
|
"Disallow DSA signing"},
|
|
{"tdes_encrypt_disabled", OPT_DISALLOW_TDES_ENCRYPT, '-',
|
|
"Disallow Triple-DES encryption"},
|
|
{"rsa_pkcs15_padding_disabled", OPT_DISALLOW_PKCS15_PADDING, '-',
|
|
"Disallow PKCS#1 version 1.5 padding for RSA encryption"},
|
|
{"rsa_pss_saltlen_check", OPT_RSA_PSS_SALTLEN_CHECK, '-',
|
|
"Enable salt length check for RSA-PSS signature operations"},
|
|
{"rsa_sign_x931_disabled", OPT_DISALLOW_SIGNATURE_X931_PADDING, '-',
|
|
"Disallow X931 Padding for RSA signing"},
|
|
{"hkdf_key_check", OPT_HKDF_KEY_CHECK, '-',
|
|
"Enable key check for HKDF"},
|
|
{"kbkdf_key_check", OPT_KBKDF_KEY_CHECK, '-',
|
|
"Enable key check for KBKDF"},
|
|
{"tls13_kdf_key_check", OPT_TLS13_KDF_KEY_CHECK, '-',
|
|
"Enable key check for TLS13-KDF"},
|
|
{"tls1_prf_key_check", OPT_TLS1_PRF_KEY_CHECK, '-',
|
|
"Enable key check for TLS1-PRF"},
|
|
{"sshkdf_key_check", OPT_SSHKDF_KEY_CHECK, '-',
|
|
"Enable key check for SSHKDF"},
|
|
{"sskdf_key_check", OPT_SSKDF_KEY_CHECK, '-',
|
|
"Enable key check for SSKDF"},
|
|
{"x963kdf_key_check", OPT_X963KDF_KEY_CHECK, '-',
|
|
"Enable key check for X963KDF"},
|
|
{"x942kdf_key_check", OPT_X942KDF_KEY_CHECK, '-',
|
|
"Enable key check for X942KDF"},
|
|
{"no_pbkdf2_lower_bound_check", OPT_NO_PBKDF2_LOWER_BOUND_CHECK, '-',
|
|
"Disable lower bound check for PBKDF2"},
|
|
{"ecdh_cofactor_check", OPT_ECDH_COFACTOR_CHECK, '-',
|
|
"Enable Cofactor check for ECDH"},
|
|
OPT_SECTION("Input"),
|
|
{"in", OPT_IN, '<', "Input config file, used when verifying"},
|
|
|
|
OPT_SECTION("Output"),
|
|
{"out", OPT_OUT, '>', "Output config file, used when generating"},
|
|
{"mac_name", OPT_MAC_NAME, 's', "MAC name"},
|
|
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form."},
|
|
{OPT_MORE_STR, 0, 0, "See 'PARAMETER NAMES' in the EVP_MAC_ docs"},
|
|
{"noout", OPT_NO_LOG, '-', "Disable logging of self test events"},
|
|
{"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"},
|
|
{"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"},
|
|
{"config", OPT_CONFIG, '<', "The parent config to verify"},
|
|
{"quiet", OPT_QUIET, '-', "No messages, just exit status"},
|
|
{NULL}
|
|
};
|
|
|
|
typedef struct {
|
|
unsigned int self_test_onload : 1;
|
|
unsigned int conditional_errors : 1;
|
|
unsigned int security_checks : 1;
|
|
unsigned int hmac_key_check : 1;
|
|
unsigned int kmac_key_check : 1;
|
|
unsigned int tls_prf_ems_check : 1;
|
|
unsigned int no_short_mac : 1;
|
|
unsigned int drgb_no_trunc_dgst : 1;
|
|
unsigned int signature_digest_check : 1;
|
|
unsigned int hkdf_digest_check : 1;
|
|
unsigned int tls13_kdf_digest_check : 1;
|
|
unsigned int tls1_prf_digest_check : 1;
|
|
unsigned int sshkdf_digest_check : 1;
|
|
unsigned int sskdf_digest_check : 1;
|
|
unsigned int x963kdf_digest_check : 1;
|
|
unsigned int dsa_sign_disabled : 1;
|
|
unsigned int tdes_encrypt_disabled : 1;
|
|
unsigned int rsa_pkcs15_padding_disabled : 1;
|
|
unsigned int rsa_pss_saltlen_check : 1;
|
|
unsigned int sign_x931_padding_disabled : 1;
|
|
unsigned int hkdf_key_check : 1;
|
|
unsigned int kbkdf_key_check : 1;
|
|
unsigned int tls13_kdf_key_check : 1;
|
|
unsigned int tls1_prf_key_check : 1;
|
|
unsigned int sshkdf_key_check : 1;
|
|
unsigned int sskdf_key_check : 1;
|
|
unsigned int x963kdf_key_check : 1;
|
|
unsigned int x942kdf_key_check : 1;
|
|
unsigned int pbkdf2_lower_bound_check : 1;
|
|
unsigned int ecdh_cofactor_check : 1;
|
|
} FIPS_OPTS;
|
|
|
|
/* Pedantic FIPS compliance */
|
|
static const FIPS_OPTS pedantic_opts = {
|
|
1, /* self_test_onload */
|
|
1, /* conditional_errors */
|
|
1, /* security_checks */
|
|
1, /* hmac_key_check */
|
|
1, /* kmac_key_check */
|
|
1, /* tls_prf_ems_check */
|
|
1, /* no_short_mac */
|
|
1, /* drgb_no_trunc_dgst */
|
|
1, /* signature_digest_check */
|
|
1, /* hkdf_digest_check */
|
|
1, /* tls13_kdf_digest_check */
|
|
1, /* tls1_prf_digest_check */
|
|
1, /* sshkdf_digest_check */
|
|
1, /* sskdf_digest_check */
|
|
1, /* x963kdf_digest_check */
|
|
1, /* dsa_sign_disabled */
|
|
1, /* tdes_encrypt_disabled */
|
|
1, /* rsa_pkcs15_padding_disabled */
|
|
1, /* rsa_pss_saltlen_check */
|
|
1, /* sign_x931_padding_disabled */
|
|
1, /* hkdf_key_check */
|
|
1, /* kbkdf_key_check */
|
|
1, /* tls13_kdf_key_check */
|
|
1, /* tls1_prf_key_check */
|
|
1, /* sshkdf_key_check */
|
|
1, /* sskdf_key_check */
|
|
1, /* x963kdf_key_check */
|
|
1, /* x942kdf_key_check */
|
|
1, /* pbkdf2_lower_bound_check */
|
|
1, /* ecdh_cofactor_check */
|
|
};
|
|
|
|
/* Default FIPS settings for backward compatibility */
|
|
static FIPS_OPTS fips_opts = {
|
|
1, /* self_test_onload */
|
|
1, /* conditional_errors */
|
|
1, /* security_checks */
|
|
0, /* hmac_key_check */
|
|
0, /* kmac_key_check */
|
|
0, /* tls_prf_ems_check */
|
|
0, /* no_short_mac */
|
|
0, /* drgb_no_trunc_dgst */
|
|
0, /* signature_digest_check */
|
|
0, /* hkdf_digest_check */
|
|
0, /* tls13_kdf_digest_check */
|
|
0, /* tls1_prf_digest_check */
|
|
0, /* sshkdf_digest_check */
|
|
0, /* sskdf_digest_check */
|
|
0, /* x963kdf_digest_check */
|
|
0, /* dsa_sign_disabled */
|
|
0, /* tdes_encrypt_disabled */
|
|
0, /* rsa_pkcs15_padding_disabled */
|
|
0, /* rsa_pss_saltlen_check */
|
|
0, /* sign_x931_padding_disabled */
|
|
0, /* hkdf_key_check */
|
|
0, /* kbkdf_key_check */
|
|
0, /* tls13_kdf_key_check */
|
|
0, /* tls1_prf_key_check */
|
|
0, /* sshkdf_key_check */
|
|
0, /* sskdf_key_check */
|
|
0, /* x963kdf_key_check */
|
|
0, /* x942kdf_key_check */
|
|
1, /* pbkdf2_lower_bound_check */
|
|
0, /* ecdh_cofactor_check */
|
|
};
|
|
|
|
static int check_non_pedantic_fips(int pedantic, const char *name)
|
|
{
|
|
if (pedantic) {
|
|
BIO_printf(bio_err, "Cannot specify -%s after -pedantic\n", name);
|
|
return 0;
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
static int do_mac(EVP_MAC_CTX *ctx, unsigned char *tmp, BIO *in,
|
|
unsigned char *out, size_t *out_len)
|
|
{
|
|
int ret = 0;
|
|
int i;
|
|
size_t outsz = *out_len;
|
|
|
|
if (!EVP_MAC_init(ctx, NULL, 0, NULL))
|
|
goto err;
|
|
if (EVP_MAC_CTX_get_mac_size(ctx) > outsz)
|
|
goto end;
|
|
while ((i = BIO_read(in, (char *)tmp, BUFSIZE)) != 0) {
|
|
if (i < 0 || !EVP_MAC_update(ctx, tmp, i))
|
|
goto err;
|
|
}
|
|
end:
|
|
if (!EVP_MAC_final(ctx, out, out_len, outsz))
|
|
goto err;
|
|
ret = 1;
|
|
err:
|
|
return ret;
|
|
}
|
|
|
|
static int load_fips_prov_and_run_self_test(const char *prov_name,
|
|
int *is_fips_140_2_prov)
|
|
{
|
|
int ret = 0;
|
|
OSSL_PROVIDER *prov = NULL;
|
|
OSSL_PARAM params[4], *p = params;
|
|
char *name = "", *vers = "", *build = "";
|
|
|
|
prov = OSSL_PROVIDER_load(NULL, prov_name);
|
|
if (prov == NULL) {
|
|
BIO_printf(bio_err, "Failed to load FIPS module\n");
|
|
goto end;
|
|
}
|
|
if (!quiet) {
|
|
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_NAME,
|
|
&name, sizeof(name));
|
|
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION,
|
|
&vers, sizeof(vers));
|
|
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_BUILDINFO,
|
|
&build, sizeof(build));
|
|
*p = OSSL_PARAM_construct_end();
|
|
if (!OSSL_PROVIDER_get_params(prov, params)) {
|
|
BIO_printf(bio_err, "Failed to query FIPS module parameters\n");
|
|
goto end;
|
|
}
|
|
if (OSSL_PARAM_modified(params))
|
|
BIO_printf(bio_err, "\t%-10s\t%s\n", "name:", name);
|
|
if (OSSL_PARAM_modified(params + 1))
|
|
BIO_printf(bio_err, "\t%-10s\t%s\n", "version:", vers);
|
|
if (OSSL_PARAM_modified(params + 2))
|
|
BIO_printf(bio_err, "\t%-10s\t%s\n", "build:", build);
|
|
} else {
|
|
*p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION,
|
|
&vers, sizeof(vers));
|
|
*p = OSSL_PARAM_construct_end();
|
|
if (!OSSL_PROVIDER_get_params(prov, params)) {
|
|
BIO_printf(bio_err, "Failed to query FIPS module parameters\n");
|
|
goto end;
|
|
}
|
|
}
|
|
*is_fips_140_2_prov = (strncmp("3.0.", vers, 4) == 0);
|
|
ret = 1;
|
|
end:
|
|
OSSL_PROVIDER_unload(prov);
|
|
return ret;
|
|
}
|
|
|
|
static int print_mac(BIO *bio, const char *label, const unsigned char *mac,
|
|
size_t len)
|
|
{
|
|
int ret;
|
|
char *hexstr = NULL;
|
|
|
|
hexstr = OPENSSL_buf2hexstr(mac, (long)len);
|
|
if (hexstr == NULL)
|
|
return 0;
|
|
ret = BIO_printf(bio, "%s = %s\n", label, hexstr);
|
|
OPENSSL_free(hexstr);
|
|
return ret;
|
|
}
|
|
|
|
static int write_config_header(BIO *out, const char *prov_name,
|
|
const char *section)
|
|
{
|
|
return BIO_printf(out, "openssl_conf = openssl_init\n\n")
|
|
&& BIO_printf(out, "[openssl_init]\n")
|
|
&& BIO_printf(out, "providers = provider_section\n\n")
|
|
&& BIO_printf(out, "[provider_section]\n")
|
|
&& BIO_printf(out, "%s = %s\n\n", prov_name, section);
|
|
}
|
|
|
|
/*
|
|
* Outputs a fips related config file that contains entries for the fips
|
|
* module checksum, installation indicator checksum and the options
|
|
* conditional_errors and security_checks.
|
|
*
|
|
* Returns 1 if the config file is written otherwise it returns 0 on error.
|
|
*/
|
|
static int write_config_fips_section(BIO *out, const char *section,
|
|
unsigned char *module_mac,
|
|
size_t module_mac_len,
|
|
const FIPS_OPTS *opts,
|
|
unsigned char *install_mac,
|
|
size_t install_mac_len)
|
|
{
|
|
int ret = 0;
|
|
|
|
if (BIO_printf(out, "[%s]\n", section) <= 0
|
|
|| BIO_printf(out, "activate = 1\n") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
|
|
VERSION_VAL) <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
|
|
opts->conditional_errors ? "1" : "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SECURITY_CHECKS,
|
|
opts->security_checks ? "1" : "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HMAC_KEY_CHECK,
|
|
opts->hmac_key_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KMAC_KEY_CHECK,
|
|
opts->kmac_key_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK,
|
|
opts->tls_prf_ems_check ? "1" : "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_NO_SHORT_MAC,
|
|
opts->no_short_mac ? "1" : "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST,
|
|
opts->drgb_no_trunc_dgst ? "1" : "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SIGNATURE_DIGEST_CHECK,
|
|
opts->signature_digest_check ? "1" : "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_DIGEST_CHECK,
|
|
opts->hkdf_digest_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n",
|
|
OSSL_PROV_PARAM_TLS13_KDF_DIGEST_CHECK,
|
|
opts->tls13_kdf_digest_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n",
|
|
OSSL_PROV_PARAM_TLS1_PRF_DIGEST_CHECK,
|
|
opts->tls1_prf_digest_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n",
|
|
OSSL_PROV_PARAM_SSHKDF_DIGEST_CHECK,
|
|
opts->sshkdf_digest_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_DIGEST_CHECK,
|
|
opts->sskdf_digest_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n",
|
|
OSSL_PROV_PARAM_X963KDF_DIGEST_CHECK,
|
|
opts->x963kdf_digest_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DSA_SIGN_DISABLED,
|
|
opts->dsa_sign_disabled ? "1" : "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TDES_ENCRYPT_DISABLED,
|
|
opts->tdes_encrypt_disabled ? "1" : "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n",
|
|
OSSL_PROV_PARAM_RSA_PKCS15_PAD_DISABLED,
|
|
opts->rsa_pkcs15_padding_disabled ? "1" : "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n",
|
|
OSSL_PROV_PARAM_RSA_PSS_SALTLEN_CHECK,
|
|
opts->rsa_pss_saltlen_check ? "1" : "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n",
|
|
OSSL_PROV_PARAM_RSA_SIGN_X931_PAD_DISABLED,
|
|
opts->sign_x931_padding_disabled ? "1" : "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_HKDF_KEY_CHECK,
|
|
opts->hkdf_key_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_KBKDF_KEY_CHECK,
|
|
opts->kbkdf_key_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n",
|
|
OSSL_PROV_PARAM_TLS13_KDF_KEY_CHECK,
|
|
opts->tls13_kdf_key_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_TLS1_PRF_KEY_CHECK,
|
|
opts->tls1_prf_key_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSHKDF_KEY_CHECK,
|
|
opts->sshkdf_key_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_SSKDF_KEY_CHECK,
|
|
opts->sskdf_key_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X963KDF_KEY_CHECK,
|
|
opts->x963kdf_key_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_X942KDF_KEY_CHECK,
|
|
opts->x942kdf_key_check ? "1": "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n",
|
|
OSSL_PROV_PARAM_PBKDF2_LOWER_BOUND_CHECK,
|
|
opts->pbkdf2_lower_bound_check ? "1" : "0") <= 0
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_ECDH_COFACTOR_CHECK,
|
|
opts->ecdh_cofactor_check ? "1": "0") <= 0
|
|
|| !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
|
|
module_mac_len))
|
|
goto end;
|
|
|
|
if (install_mac != NULL
|
|
&& install_mac_len > 0
|
|
&& opts->self_test_onload == 0) {
|
|
if (!print_mac(out, OSSL_PROV_FIPS_PARAM_INSTALL_MAC, install_mac,
|
|
install_mac_len)
|
|
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
|
|
INSTALL_STATUS_VAL) <= 0)
|
|
goto end;
|
|
}
|
|
ret = 1;
|
|
end:
|
|
return ret;
|
|
}
|
|
|
|
static CONF *generate_config_and_load(const char *prov_name,
|
|
const char *section,
|
|
unsigned char *module_mac,
|
|
size_t module_mac_len,
|
|
const FIPS_OPTS *opts)
|
|
{
|
|
BIO *mem_bio = NULL;
|
|
CONF *conf = NULL;
|
|
|
|
mem_bio = BIO_new(BIO_s_mem());
|
|
if (mem_bio == NULL)
|
|
return 0;
|
|
if (!write_config_header(mem_bio, prov_name, section)
|
|
|| !write_config_fips_section(mem_bio, section,
|
|
module_mac, module_mac_len,
|
|
opts, NULL, 0))
|
|
goto end;
|
|
|
|
conf = app_load_config_bio(mem_bio, NULL);
|
|
if (conf == NULL)
|
|
goto end;
|
|
|
|
if (CONF_modules_load(conf, NULL, 0) <= 0)
|
|
goto end;
|
|
BIO_free(mem_bio);
|
|
return conf;
|
|
end:
|
|
NCONF_free(conf);
|
|
BIO_free(mem_bio);
|
|
return NULL;
|
|
}
|
|
|
|
static void free_config_and_unload(CONF *conf)
|
|
{
|
|
if (conf != NULL) {
|
|
NCONF_free(conf);
|
|
CONF_modules_unload(1);
|
|
}
|
|
}
|
|
|
|
static int verify_module_load(const char *parent_config_file)
|
|
{
|
|
return OSSL_LIB_CTX_load_config(NULL, parent_config_file);
|
|
}
|
|
|
|
/*
|
|
* Returns 1 if the config file entries match the passed in module_mac and
|
|
* install_mac values, otherwise it returns 0.
|
|
*/
|
|
static int verify_config(const char *infile, const char *section,
|
|
unsigned char *module_mac, size_t module_mac_len,
|
|
unsigned char *install_mac, size_t install_mac_len)
|
|
{
|
|
int ret = 0;
|
|
char *s = NULL;
|
|
unsigned char *buf1 = NULL, *buf2 = NULL;
|
|
long len;
|
|
CONF *conf = NULL;
|
|
|
|
/* read in the existing values and check they match the saved values */
|
|
conf = app_load_config(infile);
|
|
if (conf == NULL)
|
|
goto end;
|
|
|
|
s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_VERSION);
|
|
if (s == NULL || strcmp(s, VERSION_VAL) != 0) {
|
|
BIO_printf(bio_err, "version not found\n");
|
|
goto end;
|
|
}
|
|
s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_MODULE_MAC);
|
|
if (s == NULL) {
|
|
BIO_printf(bio_err, "Module integrity MAC not found\n");
|
|
goto end;
|
|
}
|
|
buf1 = OPENSSL_hexstr2buf(s, &len);
|
|
if (buf1 == NULL
|
|
|| (size_t)len != module_mac_len
|
|
|| memcmp(module_mac, buf1, module_mac_len) != 0) {
|
|
BIO_printf(bio_err, "Module integrity mismatch\n");
|
|
goto end;
|
|
}
|
|
if (install_mac != NULL && install_mac_len > 0) {
|
|
s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_STATUS);
|
|
if (s == NULL || strcmp(s, INSTALL_STATUS_VAL) != 0) {
|
|
BIO_printf(bio_err, "install status not found\n");
|
|
goto end;
|
|
}
|
|
s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_MAC);
|
|
if (s == NULL) {
|
|
BIO_printf(bio_err, "Install indicator MAC not found\n");
|
|
goto end;
|
|
}
|
|
buf2 = OPENSSL_hexstr2buf(s, &len);
|
|
if (buf2 == NULL
|
|
|| (size_t)len != install_mac_len
|
|
|| memcmp(install_mac, buf2, install_mac_len) != 0) {
|
|
BIO_printf(bio_err, "Install indicator status mismatch\n");
|
|
goto end;
|
|
}
|
|
}
|
|
ret = 1;
|
|
end:
|
|
OPENSSL_free(buf1);
|
|
OPENSSL_free(buf2);
|
|
NCONF_free(conf);
|
|
return ret;
|
|
}
|
|
|
|
int fipsinstall_main(int argc, char **argv)
|
|
{
|
|
int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, pedantic = 0;
|
|
int is_fips_140_2_prov = 0, set_selftest_onload_option = 0;
|
|
const char *section_name = "fips_sect";
|
|
const char *mac_name = "HMAC";
|
|
const char *prov_name = "fips";
|
|
BIO *module_bio = NULL, *mem_bio = NULL, *fout = NULL;
|
|
char *in_fname = NULL, *out_fname = NULL, *prog;
|
|
char *module_fname = NULL, *parent_config = NULL, *module_path = NULL;
|
|
const char *tail;
|
|
EVP_MAC_CTX *ctx = NULL, *ctx2 = NULL;
|
|
STACK_OF(OPENSSL_STRING) *opts = NULL;
|
|
OPTION_CHOICE o;
|
|
unsigned char *read_buffer = NULL;
|
|
unsigned char module_mac[EVP_MAX_MD_SIZE];
|
|
size_t module_mac_len = EVP_MAX_MD_SIZE;
|
|
unsigned char install_mac[EVP_MAX_MD_SIZE];
|
|
size_t install_mac_len = EVP_MAX_MD_SIZE;
|
|
EVP_MAC *mac = NULL;
|
|
CONF *conf = NULL;
|
|
|
|
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
|
|
goto end;
|
|
|
|
prog = opt_init(argc, argv, fipsinstall_options);
|
|
while ((o = opt_next()) != OPT_EOF) {
|
|
switch (o) {
|
|
case OPT_EOF:
|
|
case OPT_ERR:
|
|
opthelp:
|
|
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
|
goto cleanup;
|
|
case OPT_HELP:
|
|
opt_help(fipsinstall_options);
|
|
ret = 0;
|
|
goto end;
|
|
case OPT_IN:
|
|
in_fname = opt_arg();
|
|
break;
|
|
case OPT_OUT:
|
|
out_fname = opt_arg();
|
|
break;
|
|
case OPT_PEDANTIC:
|
|
fips_opts = pedantic_opts;
|
|
pedantic = 1;
|
|
break;
|
|
case OPT_NO_CONDITIONAL_ERRORS:
|
|
if (!check_non_pedantic_fips(pedantic, "no_conditional_errors"))
|
|
goto end;
|
|
fips_opts.conditional_errors = 0;
|
|
break;
|
|
case OPT_NO_SECURITY_CHECKS:
|
|
if (!check_non_pedantic_fips(pedantic, "no_security_checks"))
|
|
goto end;
|
|
fips_opts.security_checks = 0;
|
|
break;
|
|
case OPT_HMAC_KEY_CHECK:
|
|
fips_opts.hmac_key_check = 1;
|
|
break;
|
|
case OPT_KMAC_KEY_CHECK:
|
|
fips_opts.kmac_key_check = 1;
|
|
break;
|
|
case OPT_TLS_PRF_EMS_CHECK:
|
|
fips_opts.tls_prf_ems_check = 1;
|
|
break;
|
|
case OPT_NO_SHORT_MAC:
|
|
fips_opts.no_short_mac = 1;
|
|
break;
|
|
case OPT_DISALLOW_DRGB_TRUNC_DIGEST:
|
|
fips_opts.drgb_no_trunc_dgst = 1;
|
|
break;
|
|
case OPT_SIGNATURE_DIGEST_CHECK:
|
|
fips_opts.signature_digest_check = 1;
|
|
break;
|
|
case OPT_HKDF_DIGEST_CHECK:
|
|
fips_opts.hkdf_digest_check = 1;
|
|
break;
|
|
case OPT_TLS13_KDF_DIGEST_CHECK:
|
|
fips_opts.tls13_kdf_digest_check = 1;
|
|
break;
|
|
case OPT_TLS1_PRF_DIGEST_CHECK:
|
|
fips_opts.tls1_prf_digest_check = 1;
|
|
break;
|
|
case OPT_SSHKDF_DIGEST_CHECK:
|
|
fips_opts.sshkdf_digest_check = 1;
|
|
break;
|
|
case OPT_SSKDF_DIGEST_CHECK:
|
|
fips_opts.sskdf_digest_check = 1;
|
|
break;
|
|
case OPT_X963KDF_DIGEST_CHECK:
|
|
fips_opts.x963kdf_digest_check = 1;
|
|
break;
|
|
case OPT_DISALLOW_DSA_SIGN:
|
|
fips_opts.dsa_sign_disabled = 1;
|
|
break;
|
|
case OPT_DISALLOW_TDES_ENCRYPT:
|
|
fips_opts.tdes_encrypt_disabled = 1;
|
|
break;
|
|
case OPT_RSA_PSS_SALTLEN_CHECK:
|
|
fips_opts.rsa_pss_saltlen_check = 1;
|
|
break;
|
|
case OPT_DISALLOW_SIGNATURE_X931_PADDING:
|
|
fips_opts.sign_x931_padding_disabled = 1;
|
|
break;
|
|
case OPT_DISALLOW_PKCS15_PADDING:
|
|
fips_opts.rsa_pkcs15_padding_disabled = 1;
|
|
break;
|
|
case OPT_HKDF_KEY_CHECK:
|
|
fips_opts.hkdf_key_check = 1;
|
|
break;
|
|
case OPT_KBKDF_KEY_CHECK:
|
|
fips_opts.kbkdf_key_check = 1;
|
|
break;
|
|
case OPT_TLS13_KDF_KEY_CHECK:
|
|
fips_opts.tls13_kdf_key_check = 1;
|
|
break;
|
|
case OPT_TLS1_PRF_KEY_CHECK:
|
|
fips_opts.tls1_prf_key_check = 1;
|
|
break;
|
|
case OPT_SSHKDF_KEY_CHECK:
|
|
fips_opts.sshkdf_key_check = 1;
|
|
break;
|
|
case OPT_SSKDF_KEY_CHECK:
|
|
fips_opts.sskdf_key_check = 1;
|
|
break;
|
|
case OPT_X963KDF_KEY_CHECK:
|
|
fips_opts.x963kdf_key_check = 1;
|
|
break;
|
|
case OPT_X942KDF_KEY_CHECK:
|
|
fips_opts.x942kdf_key_check = 1;
|
|
break;
|
|
case OPT_NO_PBKDF2_LOWER_BOUND_CHECK:
|
|
if (!check_non_pedantic_fips(pedantic, "no_pbkdf2_lower_bound_check"))
|
|
goto end;
|
|
fips_opts.pbkdf2_lower_bound_check = 0;
|
|
break;
|
|
case OPT_ECDH_COFACTOR_CHECK:
|
|
fips_opts.ecdh_cofactor_check = 1;
|
|
break;
|
|
case OPT_QUIET:
|
|
quiet = 1;
|
|
/* FALLTHROUGH */
|
|
case OPT_NO_LOG:
|
|
self_test_log = 0;
|
|
break;
|
|
case OPT_CORRUPT_DESC:
|
|
self_test_corrupt_desc = opt_arg();
|
|
break;
|
|
case OPT_CORRUPT_TYPE:
|
|
self_test_corrupt_type = opt_arg();
|
|
break;
|
|
case OPT_PROV_NAME:
|
|
prov_name = opt_arg();
|
|
break;
|
|
case OPT_MODULE:
|
|
module_fname = opt_arg();
|
|
break;
|
|
case OPT_SECTION_NAME:
|
|
section_name = opt_arg();
|
|
break;
|
|
case OPT_MAC_NAME:
|
|
mac_name = opt_arg();
|
|
break;
|
|
case OPT_CONFIG:
|
|
parent_config = opt_arg();
|
|
break;
|
|
case OPT_MACOPT:
|
|
if (!sk_OPENSSL_STRING_push(opts, opt_arg()))
|
|
goto opthelp;
|
|
if (HAS_PREFIX(opt_arg(), "hexkey:"))
|
|
gotkey = 1;
|
|
else if (HAS_PREFIX(opt_arg(), "digest:"))
|
|
gotdigest = 1;
|
|
break;
|
|
case OPT_VERIFY:
|
|
verify = 1;
|
|
break;
|
|
case OPT_SELF_TEST_ONLOAD:
|
|
set_selftest_onload_option = 1;
|
|
fips_opts.self_test_onload = 1;
|
|
break;
|
|
case OPT_SELF_TEST_ONINSTALL:
|
|
if (!check_non_pedantic_fips(pedantic, "self_test_oninstall"))
|
|
goto end;
|
|
set_selftest_onload_option = 1;
|
|
fips_opts.self_test_onload = 0;
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* No extra arguments. */
|
|
if (!opt_check_rest_arg(NULL))
|
|
goto opthelp;
|
|
if (verify && in_fname == NULL) {
|
|
BIO_printf(bio_err, "Missing -in option for -verify\n");
|
|
goto opthelp;
|
|
}
|
|
|
|
if (parent_config != NULL) {
|
|
/* Test that a parent config can load the module */
|
|
if (verify_module_load(parent_config)) {
|
|
ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1;
|
|
if (!quiet) {
|
|
BIO_printf(bio_err, "FIPS provider is %s\n",
|
|
ret == 0 ? "available" : "not available");
|
|
}
|
|
}
|
|
goto end;
|
|
}
|
|
if (module_fname == NULL)
|
|
goto opthelp;
|
|
|
|
tail = opt_path_end(module_fname);
|
|
if (tail != NULL) {
|
|
module_path = OPENSSL_strdup(module_fname);
|
|
if (module_path == NULL)
|
|
goto end;
|
|
module_path[tail - module_fname] = '\0';
|
|
if (!OSSL_PROVIDER_set_default_search_path(NULL, module_path))
|
|
goto end;
|
|
}
|
|
|
|
if (self_test_log
|
|
|| self_test_corrupt_desc != NULL
|
|
|| self_test_corrupt_type != NULL)
|
|
OSSL_SELF_TEST_set_callback(NULL, self_test_events, NULL);
|
|
|
|
/* Use the default FIPS HMAC digest and key if not specified. */
|
|
if (!gotdigest && !sk_OPENSSL_STRING_push(opts, "digest:SHA256"))
|
|
goto end;
|
|
if (!gotkey && !sk_OPENSSL_STRING_push(opts, "hexkey:" FIPS_KEY_STRING))
|
|
goto end;
|
|
|
|
module_bio = bio_open_default(module_fname, 'r', FORMAT_BINARY);
|
|
if (module_bio == NULL) {
|
|
BIO_printf(bio_err, "Failed to open module file\n");
|
|
goto end;
|
|
}
|
|
|
|
read_buffer = app_malloc(BUFSIZE, "I/O buffer");
|
|
if (read_buffer == NULL)
|
|
goto end;
|
|
|
|
mac = EVP_MAC_fetch(app_get0_libctx(), mac_name, app_get0_propq());
|
|
if (mac == NULL) {
|
|
BIO_printf(bio_err, "Unable to get MAC of type %s\n", mac_name);
|
|
goto end;
|
|
}
|
|
|
|
ctx = EVP_MAC_CTX_new(mac);
|
|
if (ctx == NULL) {
|
|
BIO_printf(bio_err, "Unable to create MAC CTX for module check\n");
|
|
goto end;
|
|
}
|
|
|
|
if (opts != NULL) {
|
|
int ok = 1;
|
|
OSSL_PARAM *params =
|
|
app_params_new_from_opts(opts, EVP_MAC_settable_ctx_params(mac));
|
|
|
|
if (params == NULL)
|
|
goto end;
|
|
|
|
if (!EVP_MAC_CTX_set_params(ctx, params)) {
|
|
BIO_printf(bio_err, "MAC parameter error\n");
|
|
ERR_print_errors(bio_err);
|
|
ok = 0;
|
|
}
|
|
app_params_free(params);
|
|
if (!ok)
|
|
goto end;
|
|
}
|
|
|
|
ctx2 = EVP_MAC_CTX_dup(ctx);
|
|
if (ctx2 == NULL) {
|
|
BIO_printf(bio_err, "Unable to create MAC CTX for install indicator\n");
|
|
goto end;
|
|
}
|
|
|
|
if (!do_mac(ctx, read_buffer, module_bio, module_mac, &module_mac_len))
|
|
goto end;
|
|
|
|
/* Calculate the MAC for the indicator status - it may not be used */
|
|
mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
|
|
strlen(INSTALL_STATUS_VAL));
|
|
if (mem_bio == NULL) {
|
|
BIO_printf(bio_err, "Unable to create memory BIO\n");
|
|
goto end;
|
|
}
|
|
if (!do_mac(ctx2, read_buffer, mem_bio, install_mac, &install_mac_len))
|
|
goto end;
|
|
|
|
if (verify) {
|
|
if (fips_opts.self_test_onload == 1)
|
|
install_mac_len = 0;
|
|
if (!verify_config(in_fname, section_name, module_mac, module_mac_len,
|
|
install_mac, install_mac_len))
|
|
goto end;
|
|
if (!quiet)
|
|
BIO_printf(bio_err, "VERIFY PASSED\n");
|
|
} else {
|
|
conf = generate_config_and_load(prov_name, section_name, module_mac,
|
|
module_mac_len, &fips_opts);
|
|
if (conf == NULL)
|
|
goto end;
|
|
if (!load_fips_prov_and_run_self_test(prov_name, &is_fips_140_2_prov))
|
|
goto end;
|
|
|
|
/*
|
|
* In OpenSSL 3.1 the code was changed so that the status indicator is
|
|
* not written out by default since this is a FIPS 140-3 requirement.
|
|
* For backwards compatibility - if the detected FIPS provider is 3.0.X
|
|
* (Which was a FIPS 140-2 validation), then the indicator status will
|
|
* be written to the config file unless 'self_test_onload' is set on the
|
|
* command line.
|
|
*/
|
|
if (set_selftest_onload_option == 0 && is_fips_140_2_prov)
|
|
fips_opts.self_test_onload = 0;
|
|
|
|
fout =
|
|
out_fname == NULL ? dup_bio_out(FORMAT_TEXT)
|
|
: bio_open_default(out_fname, 'w', FORMAT_TEXT);
|
|
if (fout == NULL) {
|
|
BIO_printf(bio_err, "Failed to open file\n");
|
|
goto end;
|
|
}
|
|
|
|
if (!write_config_fips_section(fout, section_name,
|
|
module_mac, module_mac_len, &fips_opts,
|
|
install_mac, install_mac_len))
|
|
goto end;
|
|
if (!quiet)
|
|
BIO_printf(bio_err, "INSTALL PASSED\n");
|
|
}
|
|
|
|
ret = 0;
|
|
end:
|
|
if (ret == 1) {
|
|
if (!quiet)
|
|
BIO_printf(bio_err, "%s FAILED\n", verify ? "VERIFY" : "INSTALL");
|
|
ERR_print_errors(bio_err);
|
|
}
|
|
|
|
cleanup:
|
|
OPENSSL_free(module_path);
|
|
BIO_free(fout);
|
|
BIO_free(mem_bio);
|
|
BIO_free(module_bio);
|
|
sk_OPENSSL_STRING_free(opts);
|
|
EVP_MAC_free(mac);
|
|
EVP_MAC_CTX_free(ctx2);
|
|
EVP_MAC_CTX_free(ctx);
|
|
OPENSSL_free(read_buffer);
|
|
free_config_and_unload(conf);
|
|
return ret;
|
|
}
|
|
|
|
static int self_test_events(const OSSL_PARAM params[], void *arg)
|
|
{
|
|
const OSSL_PARAM *p = NULL;
|
|
const char *phase = NULL, *type = NULL, *desc = NULL;
|
|
int ret = 0;
|
|
|
|
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_PHASE);
|
|
if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
|
|
goto err;
|
|
phase = (const char *)p->data;
|
|
|
|
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_DESC);
|
|
if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
|
|
goto err;
|
|
desc = (const char *)p->data;
|
|
|
|
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_TYPE);
|
|
if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
|
|
goto err;
|
|
type = (const char *)p->data;
|
|
|
|
if (self_test_log) {
|
|
if (strcmp(phase, OSSL_SELF_TEST_PHASE_START) == 0)
|
|
BIO_printf(bio_err, "%s : (%s) : ", desc, type);
|
|
else if (strcmp(phase, OSSL_SELF_TEST_PHASE_PASS) == 0
|
|
|| strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) == 0)
|
|
BIO_printf(bio_err, "%s\n", phase);
|
|
}
|
|
/*
|
|
* The self test code will internally corrupt the KAT test result if an
|
|
* error is returned during the corrupt phase.
|
|
*/
|
|
if (strcmp(phase, OSSL_SELF_TEST_PHASE_CORRUPT) == 0
|
|
&& (self_test_corrupt_desc != NULL
|
|
|| self_test_corrupt_type != NULL)) {
|
|
if (self_test_corrupt_desc != NULL
|
|
&& strcmp(self_test_corrupt_desc, desc) != 0)
|
|
goto end;
|
|
if (self_test_corrupt_type != NULL
|
|
&& strcmp(self_test_corrupt_type, type) != 0)
|
|
goto end;
|
|
BIO_printf(bio_err, "%s ", phase);
|
|
goto err;
|
|
}
|
|
end:
|
|
ret = 1;
|
|
err:
|
|
return ret;
|
|
}
|