diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2020-09-10 14:01:30 +1000 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2020-09-12 16:46:51 +1000 |
commit | 35e6ea3bdc2741c1818337e75756b45d6a2a6122 (patch) | |
tree | 5e3220d285fb8cbc899c7e7565475c832c00943e /providers | |
parent | 801ed9edbad11b3f0646b396c672dbae33353de2 (diff) |
keygen: add FIPS error state management to conditional self tests
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12801)
Diffstat (limited to 'providers')
-rw-r--r-- | providers/common/include/prov/providercommon.h | 2 | ||||
-rw-r--r-- | providers/common/include/prov/providercommonerr.h | 3 | ||||
-rw-r--r-- | providers/common/provider_err.c | 2 | ||||
-rw-r--r-- | providers/fips/fipsprov.c | 7 | ||||
-rw-r--r-- | providers/fips/self_test.c | 20 | ||||
-rw-r--r-- | providers/fips/self_test.h | 5 | ||||
-rw-r--r-- | providers/implementations/rands/crngt.c | 3 | ||||
-rw-r--r-- | providers/prov_running.c | 4 |
8 files changed, 37 insertions, 9 deletions
diff --git a/providers/common/include/prov/providercommon.h b/providers/common/include/prov/providercommon.h index 280d2d2072..44e9c812aa 100644 --- a/providers/common/include/prov/providercommon.h +++ b/providers/common/include/prov/providercommon.h @@ -20,7 +20,7 @@ int cipher_capable_aes_cbc_hmac_sha256(void); OSSL_FUNC_provider_get_capabilities_fn provider_get_capabilities; /* Set the error state if this is a FIPS module */ -void ossl_set_error_state(void); +void ossl_set_error_state(const char *type); /* Return true if the module is in a usable condition */ int ossl_prov_is_running(void); diff --git a/providers/common/include/prov/providercommonerr.h b/providers/common/include/prov/providercommonerr.h index d4d3c7e8e8..d972a819e2 100644 --- a/providers/common/include/prov/providercommonerr.h +++ b/providers/common/include/prov/providercommonerr.h @@ -75,6 +75,7 @@ int ERR_load_PROV_strings(void); # define PROV_R_FAILED_TO_GET_PARAMETER 103 # define PROV_R_FAILED_TO_SET_PARAMETER 104 # define PROV_R_FAILED_TO_SIGN 175 +# define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR 227 # define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE 224 # define PROV_R_FIPS_MODULE_IN_ERROR_STATE 225 # define PROV_R_GENERATE_ERROR 191 @@ -133,7 +134,7 @@ int ERR_load_PROV_strings(void); # define PROV_R_NOT_A_PRIVATE_KEY 221 # define PROV_R_NOT_A_PUBLIC_KEY 220 # define PROV_R_NOT_INSTANTIATED 193 -# define PROV_R_NOT_PARAMETERS 224 +# define PROV_R_NOT_PARAMETERS 226 # define PROV_R_NOT_SUPPORTED 136 # define PROV_R_NOT_XOF_OR_INVALID_LENGTH 113 # define PROV_R_NO_KEY_SET 114 diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c index 329bb279eb..606d78cc57 100644 --- a/providers/common/provider_err.c +++ b/providers/common/provider_err.c @@ -58,6 +58,8 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER), "failed to set parameter"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SIGN), "failed to sign"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR), + "fips module conditional error"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE), "fips module entering error state"}, {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_IN_ERROR_STATE), diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 0f1c979efe..4290a87e6e 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -126,6 +126,9 @@ static OSSL_PARAM core_params[] = OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_INSTALL_VERSION, selftest_params.indicator_version, sizeof(selftest_params.indicator_version)), + OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, + selftest_params.conditional_error_check, + sizeof(selftest_params.conditional_error_check)), OSSL_PARAM_END }; @@ -645,6 +648,10 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER); return 0; } + /* Disable the conditional error check if is disabled in the fips config file*/ + if (selftest_params.conditional_error_check != NULL + && strcmp(selftest_params.conditional_error_check, "0") == 0) + SELF_TEST_disable_conditional_error_state(); /* Create a context. */ if ((*provctx = PROV_CTX_new()) == NULL diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c index b0df0863e2..9d95f0ccf1 100644 --- a/providers/fips/self_test.c +++ b/providers/fips/self_test.c @@ -44,6 +44,7 @@ #define MAC_NAME "HMAC" #define DIGEST_NAME "SHA256" +static int FIPS_conditional_error_check = 1; static int FIPS_state = FIPS_STATE_INIT; static CRYPTO_RWLOCK *self_test_lock = NULL; static unsigned char fixed_key[32] = { FIPS_KEY_ELEMENTS }; @@ -311,16 +312,27 @@ end: if (ok) FIPS_state = FIPS_STATE_RUNNING; else - ossl_set_error_state(); + ossl_set_error_state(OSSL_SELF_TEST_TYPE_NONE); CRYPTO_THREAD_unlock(self_test_lock); return ok; } -void ossl_set_error_state(void) +void SELF_TEST_disable_conditional_error_state(void) { - FIPS_state = FIPS_STATE_ERROR; - ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE); + FIPS_conditional_error_check = 0; +} + +void ossl_set_error_state(const char *type) +{ + int cond_test = (type != NULL && strcmp(type, OSSL_SELF_TEST_TYPE_PCT) == 0); + + if (!cond_test || (FIPS_conditional_error_check == 1)) { + FIPS_state = FIPS_STATE_ERROR; + ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE); + } else { + ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR); + } } int ossl_prov_is_running(void) diff --git a/providers/fips/self_test.h b/providers/fips/self_test.h index 20f8a12472..205623cc3d 100644 --- a/providers/fips/self_test.h +++ b/providers/fips/self_test.h @@ -21,6 +21,9 @@ typedef struct self_test_post_params_st { const char *indicator_data; /* data to perform MAC on */ const char *indicator_checksum_data; /* Expected MAC integrity value */ + /* Used for continuous tests */ + const char *conditional_error_check; + /* BIO callbacks supplied to the FIPS provider */ OSSL_FUNC_BIO_new_file_fn *bio_new_file_cb; OSSL_FUNC_BIO_new_membuf_fn *bio_new_buffer_cb; @@ -34,3 +37,5 @@ typedef struct self_test_post_params_st { int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test); int SELF_TEST_kats(OSSL_SELF_TEST *event, OPENSSL_CTX *libctx); + +void SELF_TEST_disable_conditional_error_state(void); diff --git a/providers/implementations/rands/crngt.c b/providers/implementations/rands/crngt.c index 9a9e9c703b..e23485291b 100644 --- a/providers/implementations/rands/crngt.c +++ b/providers/implementations/rands/crngt.c @@ -16,6 +16,7 @@ #include <openssl/evp.h> #include <openssl/core_dispatch.h> #include <openssl/params.h> +#include <openssl/self_test.h> #include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "internal/cryptlib.h" @@ -99,7 +100,7 @@ static int prov_crngt_compare_previous(const unsigned char *prev, const int res = memcmp(prev, cur, sz) != 0; if (!res) - ossl_set_error_state(); + ossl_set_error_state(OSSL_SELF_TEST_TYPE_CRNG); return res; } diff --git a/providers/prov_running.c b/providers/prov_running.c index 7e62dedf4d..379fd5d25c 100644 --- a/providers/prov_running.c +++ b/providers/prov_running.c @@ -11,11 +11,11 @@ #include "prov/providercommon.h" /* By default, our providers don't have an error state */ -void ossl_set_error_state(void) +void ossl_set_error_state(const char *type) { } -/* By default, out providers are always in a happy state */ +/* By default, our providers are always in a happy state */ int ossl_prov_is_running(void) { return 1; |