diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2020-09-05 13:08:27 +1000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-09-18 14:20:50 +0100 |
commit | 991a6bb58182d4d2077a68eb813c897b7de73462 (patch) | |
tree | 738fc724534be090323181dc445cf19e442b827c /providers | |
parent | 7a810fac866c6c1d93015999633ee2a29f17b3d2 (diff) |
Add option to fipsinstall to disable fips security checks at run time.
Changes merged from a patch by @richsalz.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12745)
Diffstat (limited to 'providers')
-rw-r--r-- | providers/common/securitycheck.c | 2 | ||||
-rw-r--r-- | providers/common/securitycheck_fips.c | 5 | ||||
-rw-r--r-- | providers/fips/fipsprov.c | 21 | ||||
-rw-r--r-- | providers/implementations/signature/rsa.c | 2 |
4 files changed, 26 insertions, 4 deletions
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c index 624843e3ab..9a425fb630 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -203,7 +203,7 @@ int digest_is_allowed(const EVP_MD *md) { # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) if (securitycheck_enabled()) - return (digest_get_approved_nid(md) != NID_undef); + return digest_get_approved_nid(md) != NID_undef; # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ return 1; } diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c index f73eae9569..94457d6ccf 100644 --- a/providers/common/securitycheck_fips.c +++ b/providers/common/securitycheck_fips.c @@ -19,11 +19,12 @@ #include "prov/securitycheck.h" #include "prov/providercommonerr.h" +extern int FIPS_security_check_enabled(void); + int securitycheck_enabled(void) { #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS) - /* TODO(3.0): make this configurable */ - return 1; + return FIPS_security_check_enabled(); #else return 0; #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 4290a87e6e..aec262654e 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -37,6 +37,7 @@ static OSSL_FUNC_provider_query_operation_fn fips_query; #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) extern OSSL_FUNC_core_thread_start_fn *c_thread_start; +int FIPS_security_check_enabled(void); /* * TODO(3.0): Should these be stored in the provider side provctx? Could they @@ -46,6 +47,8 @@ extern OSSL_FUNC_core_thread_start_fn *c_thread_start; */ static SELF_TEST_POST_PARAMS selftest_params; +static int fips_security_checks = 1; +static const char *fips_security_check_option = "1"; /* Functions provided by the core */ static OSSL_FUNC_core_gettable_params_fn *c_gettable_params; @@ -100,6 +103,7 @@ static const OSSL_PARAM fips_param_types[] = { OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0), OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0), OSSL_PARAM_END }; @@ -108,6 +112,7 @@ static const OSSL_PARAM fips_param_types[] = { * NOTE: inside core_get_params() these will be loaded from config items * stored inside prov->parameters (except for * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). + * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter. */ static OSSL_PARAM core_params[] = { @@ -129,6 +134,9 @@ static OSSL_PARAM core_params[] = OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, selftest_params.conditional_error_check, sizeof(selftest_params.conditional_error_check)), + OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, + fips_security_check_option, + sizeof(fips_security_check_option)), OSSL_PARAM_END }; @@ -153,6 +161,9 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS); + if (p != NULL && !OSSL_PARAM_set_int(p, fips_security_checks)) + return 0; return 1; } @@ -653,6 +664,11 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, && strcmp(selftest_params.conditional_error_check, "0") == 0) SELF_TEST_disable_conditional_error_state(); + /* Disable the security check if is disabled in the fips config file*/ + if (fips_security_check_option != NULL + && strcmp(fips_security_check_option, "0") == 0) + fips_security_checks = 0; + /* Create a context. */ if ((*provctx = PROV_CTX_new()) == NULL || (libctx = OPENSSL_CTX_new()) == NULL) { @@ -858,3 +874,8 @@ int BIO_snprintf(char *buf, size_t n, const char *format, ...) va_end(args); return ret; } + +int FIPS_security_check_enabled(void) +{ + return fips_security_checks; +} diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c index 5209ac992b..f2a02a7542 100644 --- a/providers/implementations/signature/rsa.c +++ b/providers/implementations/signature/rsa.c @@ -1244,7 +1244,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = { OSSL_PARAM_END }; -static const OSSL_PARAM *rsa_settable_ctx_params(void *provctx) +static const OSSL_PARAM *rsa_settable_ctx_params(ossl_unused void *provctx) { /* * TODO(3.0): Should this function return a different set of settable ctx |