From 7057dddbcb5e053470121adeff0b6595fa6da0d8 Mon Sep 17 00:00:00 2001 From: Pauli Date: Wed, 26 Oct 2022 13:51:02 +1100 Subject: fipsinstall: add -self_test_oninstall option. This option runs the self tests at installation time. It fails for the 3.1 module. Also changed the default behaviour to that set by the -self_test_onload option. Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/19510) --- apps/fipsinstall.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) (limited to 'apps') diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index 5af007083a..5198e0863e 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -38,7 +38,7 @@ typedef enum OPTION_choice { OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG, OPT_NO_CONDITIONAL_ERRORS, OPT_NO_SECURITY_CHECKS, - OPT_SELF_TEST_ONLOAD + OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL } OPTION_CHOICE; const OPTIONS fipsinstall_options[] = { @@ -57,6 +57,8 @@ const OPTIONS fipsinstall_options[] = { "Disable the run-time FIPS security checks in the module"}, {"self_test_onload", OPT_SELF_TEST_ONLOAD, '-', "Forces self tests to always run on module load"}, + {"self_test_oninstall", OPT_SELF_TEST_ONINSTALL, '-', + "Forces self tests to run once on module installation"}, OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input config file, used when verifying"}, @@ -100,12 +102,33 @@ static int load_fips_prov_and_run_self_test(const char *prov_name) { int ret = 0; OSSL_PROVIDER *prov = NULL; + OSSL_PARAM params[4], *p = params; + char *name = "", *vers = "", *build = ""; prov = OSSL_PROVIDER_load(NULL, prov_name); if (prov == NULL) { BIO_printf(bio_err, "Failed to load FIPS module\n"); goto end; } + if (!quiet) { + *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_NAME, + &name, sizeof(name)); + *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION, + &vers, sizeof(vers)); + *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_BUILDINFO, + &build, sizeof(build)); + *p = OSSL_PARAM_construct_end(); + if (!OSSL_PROVIDER_get_params(prov, params)) { + BIO_printf(bio_err, "Failed to query FIPS module parameters\n"); + goto end; + } + if (OSSL_PARAM_modified(params)) + BIO_printf(bio_err, "\t%-10s\t%s\n", "name:", name); + if (OSSL_PARAM_modified(params + 1)) + BIO_printf(bio_err, "\t%-10s\t%s\n", "version:", vers); + if (OSSL_PARAM_modified(params + 2)) + BIO_printf(bio_err, "\t%-10s\t%s\n", "build:", build); + } ret = 1; end: OSSL_PROVIDER_unload(prov); @@ -290,7 +313,7 @@ end: int fipsinstall_main(int argc, char **argv) { - int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 0; + int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 1; int enable_conditional_errors = 1, enable_security_checks = 1; const char *section_name = "fips_sect"; const char *mac_name = "HMAC"; @@ -378,6 +401,9 @@ opthelp: case OPT_SELF_TEST_ONLOAD: self_test_onload = 1; break; + case OPT_SELF_TEST_ONINSTALL: + self_test_onload = 0; + break; } } @@ -393,9 +419,10 @@ opthelp: /* Test that a parent config can load the module */ if (verify_module_load(parent_config)) { ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1; - if (!quiet) + if (!quiet) { BIO_printf(bio_err, "FIPS provider is %s\n", ret == 0 ? "available" : " not available"); + } } goto end; } -- cgit v1.2.3