Add option to fipsinstall to disable fips security checks at run time.

Changes merged from a patch by @richsalz. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745)
author: Shane Lontis <shane.lontis@oracle.com> 2020-09-05 13:08:27 +1000
committer: Matt Caswell <matt@openssl.org> 2020-09-18 14:20:50 +0100
commit: 991a6bb58182d4d2077a68eb813c897b7de73462 (patch)
tree: 738fc724534be090323181dc445cf19e442b827c /providers
parent: 7a810fac866c6c1d93015999633ee2a29f17b3d2 (diff)
4 files changed, 26 insertions, 4 deletions
diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c
index 624843e3ab..9a425fb630 100644
--- a/providers/common/securitycheck.c
+++ b/providers/common/securitycheck.c
@@ -203,7 +203,7 @@ int digest_is_allowed(const EVP_MD *md)
 {
 # if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
     if (securitycheck_enabled())
-        return (digest_get_approved_nid(md) != NID_undef);
+        return digest_get_approved_nid(md) != NID_undef;
 # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
     return 1;
 }
diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c
index f73eae9569..94457d6ccf 100644
--- a/providers/common/securitycheck_fips.c
+++ b/providers/common/securitycheck_fips.c
@@ -19,11 +19,12 @@
 #include "prov/securitycheck.h"
 #include "prov/providercommonerr.h"
 
+extern int FIPS_security_check_enabled(void);
+
 int securitycheck_enabled(void)
 {
 #if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
-    /* TODO(3.0): make this configurable */
-    return 1;
+    return FIPS_security_check_enabled();
 #else
     return 0;
 #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */
diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c
index 4290a87e6e..aec262654e 100644
--- a/providers/fips/fipsprov.c
+++ b/providers/fips/fipsprov.c
@@ -37,6 +37,7 @@ static OSSL_FUNC_provider_query_operation_fn fips_query;
 #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL)
 
 extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
+int FIPS_security_check_enabled(void);
 
 /*
  * TODO(3.0): Should these be stored in the provider side provctx? Could they
@@ -46,6 +47,8 @@ extern OSSL_FUNC_core_thread_start_fn *c_thread_start;
  */
 
 static SELF_TEST_POST_PARAMS selftest_params;
+static int fips_security_checks = 1;
+static const char *fips_security_check_option = "1";
 
 /* Functions provided by the core */
 static OSSL_FUNC_core_gettable_params_fn *c_gettable_params;
@@ -100,6 +103,7 @@ static const OSSL_PARAM fips_param_types[] = {
     OSSL_PARAM_DEFN(OSSL_PROV_PARAM_VERSION, OSSL_PARAM_UTF8_PTR, NULL, 0),
     OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0),
     OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0),
+    OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0),
     OSSL_PARAM_END
 };
 
@@ -108,6 +112,7 @@ static const OSSL_PARAM fips_param_types[] = {
  * NOTE: inside core_get_params() these will be loaded from config items
  * stored inside prov->parameters (except for
  * OSSL_PROV_PARAM_CORE_MODULE_FILENAME).
+ * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter.
  */
 static OSSL_PARAM core_params[] =
 {
@@ -129,6 +134,9 @@ static OSSL_PARAM core_params[] =
     OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
                         selftest_params.conditional_error_check,
                         sizeof(selftest_params.conditional_error_check)),
+    OSSL_PARAM_utf8_ptr(OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
+                        fips_security_check_option,
+                        sizeof(fips_security_check_option)),
     OSSL_PARAM_END
 };
 
@@ -153,6 +161,9 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[])
     p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS);
     if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running()))
         return 0;
+    p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS);
+    if (p != NULL && !OSSL_PARAM_set_int(p, fips_security_checks))
+        return 0;
     return 1;
 }
 
@@ -653,6 +664,11 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
         && strcmp(selftest_params.conditional_error_check, "0") == 0)
         SELF_TEST_disable_conditional_error_state();
 
+    /* Disable the security check if is disabled in the fips config file*/
+    if (fips_security_check_option != NULL
+        && strcmp(fips_security_check_option, "0") == 0)
+        fips_security_checks = 0;
+
     /*  Create a context. */
     if ((*provctx = PROV_CTX_new()) == NULL
         || (libctx = OPENSSL_CTX_new()) == NULL) {
@@ -858,3 +874,8 @@ int BIO_snprintf(char *buf, size_t n, const char *format, ...)
     va_end(args);
     return ret;
 }
+
+int FIPS_security_check_enabled(void)
+{
+    return fips_security_checks;
+}
diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c
index 5209ac992b..f2a02a7542 100644
--- a/providers/implementations/signature/rsa.c
+++ b/providers/implementations/signature/rsa.c
@@ -1244,7 +1244,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = {
     OSSL_PARAM_END
 };
 
-static const OSSL_PARAM *rsa_settable_ctx_params(void *provctx)
+static const OSSL_PARAM *rsa_settable_ctx_params(ossl_unused void *provctx)
 {
     /*
      * TODO(3.0): Should this function return a different set of settable ctx
author	Shane Lontis <shane.lontis@oracle.com>	2020-09-05 13:08:27 +1000
committer	Matt Caswell <matt@openssl.org>	2020-09-18 14:20:50 +0100
commit	991a6bb58182d4d2077a68eb813c897b7de73462 (patch)
tree	738fc724534be090323181dc445cf19e442b827c /providers
parent	7a810fac866c6c1d93015999633ee2a29f17b3d2 (diff)