From bc2a4225a4a03f70bb0154a72c2889aa80c1b0f6 Mon Sep 17 00:00:00 2001 From: Pauli Date: Mon, 17 Apr 2023 15:31:29 +1000 Subject: fipsinstall: add -pedantic option This adds a -pedantic option to fipsinstall that adjusts the various settings to ensure strict FIPS compliance rather than backwards compatibility. Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/20752) --- apps/fipsinstall.c | 103 +++++++++++++++++++++++++++++++++-------------------- 1 file changed, 64 insertions(+), 39 deletions(-) (limited to 'apps/fipsinstall.c') diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index 3b0c52f1f5..0f6cf5f3ac 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -33,7 +33,7 @@ static int quiet = 0; typedef enum OPTION_choice { OPT_COMMON, - OPT_IN, OPT_OUT, OPT_MODULE, + OPT_IN, OPT_OUT, OPT_MODULE, OPT_PEDANTIC, OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY, OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG, OPT_NO_CONDITIONAL_ERRORS, @@ -46,6 +46,7 @@ typedef enum OPTION_choice { const OPTIONS fipsinstall_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, + {"pedantic", OPT_PEDANTIC, '-', "Set options for strict FIPS compliance"}, {"verify", OPT_VERIFY, '-', "Verify a config file instead of generating one"}, {"module", OPT_MODULE, '<', "File name of the provider module"}, @@ -81,6 +82,41 @@ const OPTIONS fipsinstall_options[] = { {NULL} }; +typedef struct { + unsigned int self_test_onload : 1; + unsigned int conditional_errors : 1; + unsigned int security_checks : 1; + unsigned int tls_prf_ems_check : 1; + unsigned int drgb_no_trunc_dgst : 1; +} FIPS_OPTS; + +/* Pedantic FIPS compliance */ +static const FIPS_OPTS pedantic_opts = { + 1, /* self_test_onload */ + 1, /* conditional_errors */ + 1, /* security_checks */ + 1, /* tls_prf_ems_check */ + 1, /* drgb_no_trunc_dgst */ +}; + +/* Default FIPS settings for backward compatibility */ +static FIPS_OPTS fips_opts = { + 1, /* self_test_onload */ + 1, /* conditional_errors */ + 1, /* security_checks */ + 0, /* tls_prf_ems_check */ + 0, /* drgb_no_trunc_dgst */ +}; + +static int check_non_pedantic_fips(int pedantic, const char *name) +{ + if (pedantic) { + BIO_printf(bio_err, "Cannot specify -%s after -pedantic\n", name); + return 0; + } + return 1; +} + static int do_mac(EVP_MAC_CTX *ctx, unsigned char *tmp, BIO *in, unsigned char *out, size_t *out_len) { @@ -175,10 +211,7 @@ static int write_config_header(BIO *out, const char *prov_name, static int write_config_fips_section(BIO *out, const char *section, unsigned char *module_mac, size_t module_mac_len, - int conditional_errors, - int security_checks, - int ems_check, - int drgb_no_trunc_dgst, + const FIPS_OPTS *opts, unsigned char *install_mac, size_t install_mac_len) { @@ -189,13 +222,13 @@ static int write_config_fips_section(BIO *out, const char *section, || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION, VERSION_VAL) <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS, - conditional_errors ? "1" : "0") <= 0 + opts->conditional_errors ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, - security_checks ? "1" : "0") <= 0 + opts->security_checks ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, - ems_check ? "1" : "0") <= 0 + opts->tls_prf_ems_check ? "1" : "0") <= 0 || BIO_printf(out, "%s = %s\n", OSSL_PROV_PARAM_DRBG_TRUNC_DIGEST, - drgb_no_trunc_dgst ? "1" : "0") <= 0 + opts->drgb_no_trunc_dgst ? "1" : "0") <= 0 || !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac, module_mac_len)) goto end; @@ -216,10 +249,7 @@ static CONF *generate_config_and_load(const char *prov_name, const char *section, unsigned char *module_mac, size_t module_mac_len, - int conditional_errors, - int security_checks, - int ems_check, - int drgb_no_trunc_dgst) + const FIPS_OPTS *opts) { BIO *mem_bio = NULL; CONF *conf = NULL; @@ -230,11 +260,7 @@ static CONF *generate_config_and_load(const char *prov_name, if (!write_config_header(mem_bio, prov_name, section) || !write_config_fips_section(mem_bio, section, module_mac, module_mac_len, - conditional_errors, - security_checks, - ems_check, - drgb_no_trunc_dgst, - NULL, 0)) + opts, NULL, 0)) goto end; conf = app_load_config_bio(mem_bio, NULL); @@ -329,10 +355,7 @@ end: int fipsinstall_main(int argc, char **argv) { - int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 1; - int enable_conditional_errors = 1, enable_security_checks = 1; - int enable_tls_prf_ems_check = 0; /* This is off by default */ - int enable_drgb_no_trunc_dgst = 0; /* This is off by default */ + int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, pedantic = 0; const char *section_name = "fips_sect"; const char *mac_name = "HMAC"; const char *prov_name = "fips"; @@ -372,17 +395,25 @@ opthelp: case OPT_OUT: out_fname = opt_arg(); break; + case OPT_PEDANTIC: + fips_opts = pedantic_opts; + pedantic = 1; + break; case OPT_NO_CONDITIONAL_ERRORS: - enable_conditional_errors = 0; + if (!check_non_pedantic_fips(pedantic, "no_conditional_errors")) + goto end; + fips_opts.conditional_errors = 0; break; case OPT_NO_SECURITY_CHECKS: - enable_security_checks = 0; + if (!check_non_pedantic_fips(pedantic, "no_security_checks")) + goto end; + fips_opts.security_checks = 0; break; case OPT_TLS_PRF_EMS_CHECK: - enable_tls_prf_ems_check = 1; + fips_opts.tls_prf_ems_check = 1; break; case OPT_DISALLOW_DRGB_TRUNC_DIGEST: - enable_drgb_no_trunc_dgst = 1; + fips_opts.drgb_no_trunc_dgst = 1; break; case OPT_QUIET: quiet = 1; @@ -423,10 +454,12 @@ opthelp: verify = 1; break; case OPT_SELF_TEST_ONLOAD: - self_test_onload = 1; + fips_opts.self_test_onload = 1; break; case OPT_SELF_TEST_ONINSTALL: - self_test_onload = 0; + if (!check_non_pedantic_fips(pedantic, "self_test_oninstall")) + goto end; + fips_opts.self_test_onload = 0; break; } } @@ -523,7 +556,7 @@ opthelp: if (!do_mac(ctx, read_buffer, module_bio, module_mac, &module_mac_len)) goto end; - if (self_test_onload == 0) { + if (fips_opts.self_test_onload == 0) { mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL, strlen(INSTALL_STATUS_VAL)); if (mem_bio == NULL) { @@ -545,11 +578,7 @@ opthelp: } else { conf = generate_config_and_load(prov_name, section_name, module_mac, - module_mac_len, - enable_conditional_errors, - enable_security_checks, - enable_tls_prf_ems_check, - enable_drgb_no_trunc_dgst); + module_mac_len, &fips_opts); if (conf == NULL) goto end; if (!load_fips_prov_and_run_self_test(prov_name)) @@ -563,11 +592,7 @@ opthelp: goto end; } if (!write_config_fips_section(fout, section_name, - module_mac, module_mac_len, - enable_conditional_errors, - enable_security_checks, - enable_tls_prf_ems_check, - enable_drgb_no_trunc_dgst, + module_mac, module_mac_len, &fips_opts, install_mac, install_mac_len)) goto end; if (!quiet) -- cgit v1.2.3