OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
OPT_NO_CONDITIONAL_ERRORS,
OPT_NO_SECURITY_CHECKS,
- OPT_SELF_TEST_ONLOAD
+ OPT_SELF_TEST_ONLOAD, OPT_SELF_TEST_ONINSTALL
} OPTION_CHOICE;
const OPTIONS fipsinstall_options[] = {
"Disable the run-time FIPS security checks in the module"},
{"self_test_onload", OPT_SELF_TEST_ONLOAD, '-',
"Forces self tests to always run on module load"},
+ {"self_test_oninstall", OPT_SELF_TEST_ONINSTALL, '-',
+ "Forces self tests to run once on module installation"},
OPT_SECTION("Input"),
{"in", OPT_IN, '<', "Input config file, used when verifying"},
{
int ret = 0;
OSSL_PROVIDER *prov = NULL;
+ OSSL_PARAM params[4], *p = params;
+ char *name = "", *vers = "", *build = "";
prov = OSSL_PROVIDER_load(NULL, prov_name);
if (prov == NULL) {
BIO_printf(bio_err, "Failed to load FIPS module\n");
goto end;
}
+ if (!quiet) {
+ *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_NAME,
+ &name, sizeof(name));
+ *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_VERSION,
+ &vers, sizeof(vers));
+ *p++ = OSSL_PARAM_construct_utf8_ptr(OSSL_PROV_PARAM_BUILDINFO,
+ &build, sizeof(build));
+ *p = OSSL_PARAM_construct_end();
+ if (!OSSL_PROVIDER_get_params(prov, params)) {
+ BIO_printf(bio_err, "Failed to query FIPS module parameters\n");
+ goto end;
+ }
+ if (OSSL_PARAM_modified(params))
+ BIO_printf(bio_err, "\t%-10s\t%s\n", "name:", name);
+ if (OSSL_PARAM_modified(params + 1))
+ BIO_printf(bio_err, "\t%-10s\t%s\n", "version:", vers);
+ if (OSSL_PARAM_modified(params + 2))
+ BIO_printf(bio_err, "\t%-10s\t%s\n", "build:", build);
+ }
ret = 1;
end:
OSSL_PROVIDER_unload(prov);
int fipsinstall_main(int argc, char **argv)
{
- int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 0;
+ int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 1;
int enable_conditional_errors = 1, enable_security_checks = 1;
const char *section_name = "fips_sect";
const char *mac_name = "HMAC";
case OPT_SELF_TEST_ONLOAD:
self_test_onload = 1;
break;
+ case OPT_SELF_TEST_ONINSTALL:
+ self_test_onload = 0;
+ break;
}
}
/* Test that a parent config can load the module */
if (verify_module_load(parent_config)) {
ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1;
- if (!quiet)
+ if (!quiet) {
BIO_printf(bio_err, "FIPS provider is %s\n",
ret == 0 ? "available" : " not available");
+ }
}
goto end;
}
[B<-no_conditional_errors>]
[B<-no_security_checks>]
[B<-self_test_onload>]
+[B<-self_test_oninstall>]
[B<-corrupt_desc> I<selftest_description>]
[B<-corrupt_type> I<selftest_type>]
[B<-config> I<parent_config>]
could possibly then add the 2 fields into the configuration using some other
mechanism.
+This is the default.
+
+=item B<-self_test_oninstall>
+
+The converse of B<-self_test_oninstall>. The two fields related to the
+"test status indicator" and "MAC status indicator" are written to the
+output configuration file.
+
=item B<-quiet>
Do not output pass/fail messages. Implies B<-noout>.
For normal usage the base configuration file should use the default provider
when generating the fips configuration file.
+The B<-self_test_oninstall> option was added and the
+B<-self_test_onload> option was made the default in OpenSSL 3.1.
+
+The command and all remaining options were added in OpenSSL 3.0.
+
=head1 EXAMPLES
Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
plan skip_all => "Test only supported in a fips build" if disabled("fips");
-plan tests => 30;
+plan tests => 31;
my $infile = bldtop_file('providers', platform->dso('fips'));
my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
'-provider_name', 'fips', '-mac_name', 'HMAC',
'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
- '-section_name', 'fips_sect',
+ '-section_name', 'fips_sect', '-self_test_oninstall',
'-corrupt_desc', 'DSA',
'-corrupt_type', 'KAT_Signature'])),
"fipsinstall fails when the signature result is corrupted");
'-module', $infile, '-self_test_onload', '-verify'])),
"fipsinstall config verify passes when self test indicator is not present");
}
+
+SKIP: {
+ run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
+ capture => 1, statusvar => \my $exit);
+ skip "FIPS provider version can run self tests on install", 1
+ if !$exit;
+ ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
+ '-provider_name', 'fips', '-mac_name', 'HMAC',
+ '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
+ '-section_name', 'fips_sect', '-self_test_oninstall'])),
+ "fipsinstall fails when attempting to run self tests on install");
+}
projects / openssl.git / commitdiff