Add fipsinstall option to run self test KATS on module load

Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15149)
author: Shane Lontis <shane.lontis@oracle.com> 2021-05-05 10:36:41 +1000
committer: Shane Lontis <shane.lontis@oracle.com> 2021-05-25 14:57:48 +1000
commit: 2abffec0f02ef400ca434890f5baf08fc24dd7ca (patch)
tree: 6a6a370c7b6be2effd7c834cdaa687dfa499a819 /apps/fipsinstall.c
parent: a861711bcded8e259156342be697d72ec65f0aa2 (diff)
1 files changed, 38 insertions, 26 deletions
diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c
index 6a104e60aa..4defa0ab81 100644
--- a/apps/fipsinstall.c
+++ b/apps/fipsinstall.c
@@ -38,7 +38,8 @@ typedef enum OPTION_choice {
     OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
     OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
     OPT_NO_CONDITIONAL_ERRORS,
-    OPT_NO_SECURITY_CHECKS
+    OPT_NO_SECURITY_CHECKS,
+    OPT_SELF_TEST_ONLOAD
 } OPTION_CHOICE;
 
 const OPTIONS fipsinstall_options[] = {
@@ -55,6 +56,8 @@ const OPTIONS fipsinstall_options[] = {
       " any conditional self tests fail"},
     {"no_security_checks", OPT_NO_SECURITY_CHECKS, '-',
      "Disable the run-time FIPS security checks in the module"},
+    {"self_test_onload", OPT_SELF_TEST_ONLOAD, '-',
+     "Forces self tests to always run on module load"},
     OPT_SECTION("Input"),
     {"in", OPT_IN, '<', "Input config file, used when verifying"},
 
@@ -163,7 +166,7 @@ static int write_config_fips_section(BIO *out, const char *section,
                       module_mac_len))
         goto end;
 
-    if (install_mac != NULL) {
+    if (install_mac != NULL && install_mac_len > 0) {
         if (!print_mac(out, OSSL_PROV_FIPS_PARAM_INSTALL_MAC, install_mac,
                        install_mac_len)
             || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
@@ -247,11 +250,6 @@ static int verify_config(const char *infile, const char *section,
         BIO_printf(bio_err, "version not found\n");
         goto end;
     }
-    s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_STATUS);
-    if (s == NULL || strcmp(s, INSTALL_STATUS_VAL) != 0) {
-        BIO_printf(bio_err, "install status not found\n");
-        goto end;
-    }
     s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_MODULE_MAC);
     if (s == NULL) {
         BIO_printf(bio_err, "Module integrity MAC not found\n");
@@ -264,17 +262,24 @@ static int verify_config(const char *infile, const char *section,
         BIO_printf(bio_err, "Module integrity mismatch\n");
         goto end;
     }
-    s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_MAC);
-    if (s == NULL) {
-        BIO_printf(bio_err, "Install indicator MAC not found\n");
-        goto end;
-    }
-    buf2 = OPENSSL_hexstr2buf(s, &len);
-    if (buf2 == NULL
-            || (size_t)len != install_mac_len
-            || memcmp(install_mac, buf2, install_mac_len) != 0) {
-        BIO_printf(bio_err, "Install indicator status mismatch\n");
-        goto end;
+    if (install_mac != NULL && install_mac_len > 0) {
+        s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_STATUS);
+        if (s == NULL || strcmp(s, INSTALL_STATUS_VAL) != 0) {
+            BIO_printf(bio_err, "install status not found\n");
+            goto end;
+        }
+        s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_MAC);
+        if (s == NULL) {
+            BIO_printf(bio_err, "Install indicator MAC not found\n");
+            goto end;
+        }
+        buf2 = OPENSSL_hexstr2buf(s, &len);
+        if (buf2 == NULL
+                || (size_t)len != install_mac_len
+                || memcmp(install_mac, buf2, install_mac_len) != 0) {
+            BIO_printf(bio_err, "Install indicator status mismatch\n");
+            goto end;
+        }
     }
     ret = 1;
 end:
@@ -286,7 +291,7 @@ end:
 
 int fipsinstall_main(int argc, char **argv)
 {
-    int ret = 1, verify = 0, gotkey = 0, gotdigest = 0;
+    int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 0;
     int enable_conditional_errors = 1, enable_security_checks = 1;
     const char *section_name = "fips_sect";
     const char *mac_name = "HMAC";
@@ -371,6 +376,9 @@ opthelp:
         case OPT_VERIFY:
             verify = 1;
             break;
+        case OPT_SELF_TEST_ONLOAD:
+            self_test_onload = 1;
+            break;
         }
     }
 
@@ -462,14 +470,18 @@ opthelp:
     if (!do_mac(ctx, read_buffer, module_bio, module_mac, &module_mac_len))
         goto end;
 
-    mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
-                              strlen(INSTALL_STATUS_VAL));
-    if (mem_bio == NULL) {
-        BIO_printf(bio_err, "Unable to create memory BIO\n");
-        goto end;
+    if (self_test_onload == 0) {
+        mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
+                                  strlen(INSTALL_STATUS_VAL));
+        if (mem_bio == NULL) {
+            BIO_printf(bio_err, "Unable to create memory BIO\n");
+            goto end;
+        }
+        if (!do_mac(ctx2, read_buffer, mem_bio, install_mac, &install_mac_len))
+            goto end;
+    } else {
+        install_mac_len = 0;
     }
-    if (!do_mac(ctx2, read_buffer, mem_bio, install_mac, &install_mac_len))
-        goto end;
 
     if (verify) {
         if (!verify_config(in_fname, section_name, module_mac, module_mac_len,
author	Shane Lontis <shane.lontis@oracle.com>	2021-05-05 10:36:41 +1000
committer	Shane Lontis <shane.lontis@oracle.com>	2021-05-25 14:57:48 +1000
commit	2abffec0f02ef400ca434890f5baf08fc24dd7ca (patch)
tree	6a6a370c7b6be2effd7c834cdaa687dfa499a819 /apps/fipsinstall.c
parent	a861711bcded8e259156342be697d72ec65f0aa2 (diff)