From 1cd2c1f857e114f176eee01c96e27a8d7a14a356 Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Tue, 25 Feb 2020 16:27:24 -0500 Subject: [PATCH] Update some nits around the FIPS module - Changed the generated FIPS signature file to be "fipsmodule.conf" since it contains information about the FIPS module/file. - Add -q option to fipsinstall command, to stop chatty verbose status messages. - Document env var OPENSSL_CONF_INCLUDE Reviewed-by: Shane Lontis Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/11177) --- .gitignore | 7 +++---- apps/fipsinstall.c | 19 ++++++++++++++----- doc/man1/openssl-fipsinstall.pod.in | 8 ++++++-- test/default-and-fips.cnf | 2 +- test/fips.cnf | 2 +- test/recipes/30-test_evp.t | 2 +- test/recipes/30-test_evp_fetch_prov.t | 2 +- 7 files changed, 27 insertions(+), 15 deletions(-) diff --git a/.gitignore b/.gitignore index a2ff5f1c25..856a6c71d5 100644 --- a/.gitignore +++ b/.gitignore @@ -67,14 +67,13 @@ providers/common/include/prov/der_rsa.h /test/rsa_complex /test/confdump /test/bio_prefix_text -# Other generated files in test/ -/test/provider_internal_test.cnf -/test/fipsinstall.cnf -/providers/fipsinstall.cnf # Certain files that get created by tests on the fly /test-runs /test/buildtest_* +/test/provider_internal_test.cnf +/test/fipsmodule.cnf +/providers/fipsmodule.cnf # Fuzz stuff. # Anything without an extension is an executable on Unix, so we keep files diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c index 1342cc9949..157f08b11f 100644 --- a/apps/fipsinstall.c +++ b/apps/fipsinstall.c @@ -31,12 +31,13 @@ static OSSL_CALLBACK self_test_events; static char *self_test_corrupt_desc = NULL; static char *self_test_corrupt_type = NULL; static int self_test_log = 1; +static int quiet = 0; typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_IN, OPT_OUT, OPT_MODULE, OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY, - OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE + OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET } OPTION_CHOICE; const OPTIONS fipsinstall_options[] = { @@ -60,6 +61,7 @@ const OPTIONS fipsinstall_options[] = { {"noout", OPT_NO_LOG, '-', "Disable logging of self test events"}, {"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"}, {"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"}, + {"quiet", OPT_QUIET, '-', "No messages, just exit status"}, {NULL} }; @@ -287,7 +289,7 @@ int fipsinstall_main(int argc, char **argv) case OPT_ERR: opthelp: BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); - goto end; + goto cleanup; case OPT_HELP: opt_help(fipsinstall_options); ret = 0; @@ -298,6 +300,9 @@ opthelp: case OPT_OUT: out_fname = opt_arg(); break; + case OPT_QUIET: + quiet = 1; + /* FALLTHROUGH */ case OPT_NO_LOG: self_test_log = 0; break; @@ -405,7 +410,8 @@ opthelp: if (!verify_config(in_fname, section_name, module_mac, module_mac_len, install_mac, install_mac_len)) goto end; - BIO_printf(bio_out, "VERIFY PASSED\n"); + if (!quiet) + BIO_printf(bio_out, "VERIFY PASSED\n"); } else { conf = generate_config_and_load(prov_name, section_name, module_mac, @@ -424,16 +430,19 @@ opthelp: module_mac_len, install_mac, install_mac_len)) goto end; - BIO_printf(bio_out, "INSTALL PASSED\n"); + if (!quiet) + BIO_printf(bio_out, "INSTALL PASSED\n"); } ret = 0; end: if (ret == 1) { - BIO_printf(bio_err, "%s FAILED\n", verify ? "VERIFY" : "INSTALL"); + if (!quiet) + BIO_printf(bio_err, "%s FAILED\n", verify ? "VERIFY" : "INSTALL"); ERR_print_errors(bio_err); } +cleanup: BIO_free(fout); BIO_free(mem_bio); BIO_free(module_bio); diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in index 698ee3e35e..74b23341e3 100644 --- a/doc/man1/openssl-fipsinstall.pod.in +++ b/doc/man1/openssl-fipsinstall.pod.in @@ -18,6 +18,7 @@ B [B<-mac_name> I] [B<-macopt> I:I] [B<-noout>] +[B<-quiet>] [B<-corrupt_desc> I] [B<-corrupt_type> I] @@ -114,9 +115,12 @@ C. Disable logging of the self tests. -=item B<-corrupt_desc> I +=item B<-quiet> -=item B<-corrupt_type> I +Do not output pass/fail messages. Implies B<-noout>. + +=item B<-corrupt_desc> I, +B<-corrupt_type> I The corrupt options can be used to test failure of one or more self test(s) by name. diff --git a/test/default-and-fips.cnf b/test/default-and-fips.cnf index 03f5a83183..7a4d765591 100644 --- a/test/default-and-fips.cnf +++ b/test/default-and-fips.cnf @@ -1,6 +1,6 @@ openssl_conf = openssl_init -.include fipsinstall.cnf +.include fipsmodule.cnf [openssl_init] providers = provider_sect diff --git a/test/fips.cnf b/test/fips.cnf index 32c18be671..d6c3c6be14 100644 --- a/test/fips.cnf +++ b/test/fips.cnf @@ -1,6 +1,6 @@ openssl_conf = openssl_init -.include fipsinstall.cnf +.include fipsmodule.cnf [openssl_init] providers = provider_sect diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t index 217cbd5e2a..88eb41e1c1 100644 --- a/test/recipes/30-test_evp.t +++ b/test/recipes/30-test_evp.t @@ -84,7 +84,7 @@ unless ($no_fips) { $ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers"); ok(run(app(['openssl', 'fipsinstall', - '-out', bldtop_file('providers', 'fipsinstall.cnf'), + '-out', bldtop_file('providers', 'fipsmodule.cnf'), '-module', $infile, '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', diff --git a/test/recipes/30-test_evp_fetch_prov.t b/test/recipes/30-test_evp_fetch_prov.t index 6c9bfe221c..be06716b44 100644 --- a/test/recipes/30-test_evp_fetch_prov.t +++ b/test/recipes/30-test_evp_fetch_prov.t @@ -48,7 +48,7 @@ my @testdata = ( unless ($no_fips) { push @setups, { cmd => app(['openssl', 'fipsinstall', - '-out', bldtop_file('providers', 'fipsinstall.cnf'), + '-out', bldtop_file('providers', 'fipsmodule.cnf'), '-module', bldtop_file('providers', platform->dso('fips')), '-provider_name', 'fips', '-mac_name', 'HMAC', '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', -- 2.34.1