]>
Commit | Line | Data |
---|---|---|
95214b43 | 1 | #! /usr/bin/env perl |
8020d79b | 2 | # Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. |
95214b43 SL |
3 | # |
4 | # Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
10 | use warnings; | |
11 | ||
e25b4db7 | 12 | use File::Spec::Functions qw(:DEFAULT abs2rel); |
95214b43 SL |
13 | use File::Copy; |
14 | use OpenSSL::Glob; | |
9f7bdcf3 | 15 | use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/; |
95214b43 SL |
16 | use OpenSSL::Test::Utils; |
17 | ||
18 | BEGIN { | |
19 | setup("test_fipsinstall"); | |
20 | } | |
21 | use lib srctop_dir('Configurations'); | |
22 | use lib bldtop_dir('.'); | |
23 | use platform; | |
24 | ||
25 | plan skip_all => "Test only supported in a fips build" if disabled("fips"); | |
26 | ||
4343a418 | 27 | plan tests => 24; |
95214b43 SL |
28 | |
29 | my $infile = bldtop_file('providers', platform->dso('fips')); | |
31214258 | 30 | my $fipskey = $ENV{FIPSKEY} // '00'; |
95214b43 | 31 | |
9f7bdcf3 SL |
32 | # Read in a text $infile and replace the regular expression in $srch with the |
33 | # value in $repl and output to a new file $outfile. | |
34 | sub replace_line_file_internal { | |
35 | ||
36 | my ($infile, $srch, $repl, $outfile) = @_; | |
37 | my $msg; | |
38 | ||
39 | open(my $in, "<", $infile) or return 0; | |
40 | read($in, $msg, 1024); | |
41 | close $in; | |
42 | ||
43 | $msg =~ s/$srch/$repl/; | |
44 | ||
45 | open(my $fh, ">", $outfile) or return 0; | |
46 | print $fh $msg; | |
47 | close $fh; | |
48 | return 1; | |
49 | } | |
50 | ||
51 | # Read in the text input file 'fips.cnf' | |
52 | # and replace a single Key = Value line with a new value in $value. | |
53 | # OR remove the Key = Value line if the passed in $value is empty. | |
54 | # and then output a new file $outfile. | |
55 | # $key is the Key to find | |
56 | sub replace_line_file { | |
57 | my ($key, $value, $outfile) = @_; | |
58 | ||
59 | my $srch = qr/$key\s*=\s*\S*\n/; | |
60 | my $rep; | |
61 | if ($value eq "") { | |
62 | $rep = ""; | |
63 | } else { | |
64 | $rep = "$key = $value\n"; | |
65 | } | |
66 | return replace_line_file_internal('fips.cnf', $srch, $rep, $outfile); | |
67 | } | |
68 | ||
69 | # Read in the text input file 'test/fips.cnf' | |
70 | # and replace the .cnf file used in | |
71 | # .include fipsmodule.cnf with a new value in $value. | |
72 | # and then output a new file $outfile. | |
73 | # $key is the Key to find | |
74 | sub replace_parent_line_file { | |
75 | my ($value, $outfile) = @_; | |
76 | my $srch = qr/fipsmodule.cnf/; | |
77 | my $rep = "$value"; | |
78 | return replace_line_file_internal(srctop_file("test", 'fips.cnf'), | |
79 | $srch, $rep, $outfile); | |
80 | } | |
81 | ||
be3acd79 | 82 | # fail if no module name |
433deaff | 83 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', |
95214b43 | 84 | '-provider_name', 'fips', |
31214258 | 85 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 86 | '-section_name', 'fips_sect'])), |
be3acd79 | 87 | "fipsinstall fail"); |
95214b43 | 88 | |
be3acd79 | 89 | # fail to verify if the configuration file is missing |
95214b43 SL |
90 | ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile, |
91 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
31214258 | 92 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 93 | '-section_name', 'fips_sect', '-verify'])), |
be3acd79 | 94 | "fipsinstall verify fail"); |
95214b43 SL |
95 | |
96 | ||
433deaff RS |
97 | # output a fips.cnf file containing mac data |
98 | ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, | |
95214b43 | 99 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 100 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 101 | '-section_name', 'fips_sect'])), |
be3acd79 | 102 | "fipsinstall"); |
95214b43 | 103 | |
433deaff RS |
104 | # verify the fips.cnf file |
105 | ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, | |
95214b43 | 106 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 107 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 108 | '-section_name', 'fips_sect', '-verify'])), |
be3acd79 | 109 | "fipsinstall verify"); |
95214b43 | 110 | |
9f7bdcf3 SL |
111 | ok(replace_line_file('module-mac', '', 'fips_no_module_mac.cnf') |
112 | && !run(app(['openssl', 'fipsinstall', | |
113 | '-in', 'fips_no_module_mac.cnf', | |
114 | '-module', $infile, | |
115 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
116 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", | |
117 | '-section_name', 'fips_sect', '-verify'])), | |
118 | "fipsinstall verify fail no module mac"); | |
119 | ||
120 | ok(replace_line_file('install-mac', '', 'fips_no_install_mac.cnf') | |
121 | && !run(app(['openssl', 'fipsinstall', | |
122 | '-in', 'fips_no_install_mac.cnf', | |
123 | '-module', $infile, | |
124 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
125 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", | |
126 | '-section_name', 'fips_sect', '-verify'])), | |
127 | "fipsinstall verify fail no install indicator mac"); | |
128 | ||
129 | ok(replace_line_file('module-mac', '00:00:00:00:00:00', | |
130 | 'fips_bad_module_mac.cnf') | |
131 | && !run(app(['openssl', 'fipsinstall', | |
132 | '-in', 'fips_bad_module_mac.cnf', | |
133 | '-module', $infile, | |
134 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
135 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", | |
136 | '-section_name', 'fips_sect', '-verify'])), | |
137 | "fipsinstall verify fail if invalid module integrity value"); | |
138 | ||
139 | ok(replace_line_file('install-mac', '00:00:00:00:00:00', | |
140 | 'fips_bad_install_mac.cnf') | |
141 | && !run(app(['openssl', 'fipsinstall', | |
142 | '-in', 'fips_bad_install_mac.cnf', | |
143 | '-module', $infile, | |
144 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
145 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", | |
146 | '-section_name', 'fips_sect', '-verify'])), | |
147 | "fipsinstall verify fail if invalid install indicator integrity value"); | |
148 | ||
149 | ok(replace_line_file('install-status', 'INCORRECT_STATUS_STRING', | |
150 | 'fips_bad_indicator.cnf') | |
151 | && !run(app(['openssl', 'fipsinstall', | |
152 | '-in', 'fips_bad_indicator.cnf', | |
153 | '-module', $infile, | |
154 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
155 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", | |
156 | '-section_name', 'fips_sect', '-verify'])), | |
157 | "fipsinstall verify fail if invalid install indicator status"); | |
158 | ||
433deaff RS |
159 | # fail to verify the fips.cnf file if a different key is used |
160 | ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, | |
95214b43 | 161 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 162 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:01", |
9f7bdcf3 | 163 | '-section_name', 'fips_sect', '-verify'])), |
be3acd79 | 164 | "fipsinstall verify fail bad key"); |
95214b43 | 165 | |
433deaff RS |
166 | # fail to verify the fips.cnf file if a different mac digest is used |
167 | ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, | |
95214b43 | 168 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 169 | '-macopt', 'digest:SHA512', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 170 | '-section_name', 'fips_sect', '-verify'])), |
be3acd79 | 171 | "fipsinstall verify fail incorrect digest"); |
36fc5fc6 SL |
172 | |
173 | # corrupt the module hmac | |
433deaff | 174 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
36fc5fc6 | 175 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 176 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 177 | '-section_name', 'fips_sect', '-corrupt_desc', 'HMAC'])), |
36fc5fc6 SL |
178 | "fipsinstall fails when the module integrity is corrupted"); |
179 | ||
180 | # corrupt the first digest | |
9f7bdcf3 | 181 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile, |
36fc5fc6 | 182 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 183 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 184 | '-section_name', 'fips_sect', '-corrupt_desc', 'SHA1'])), |
36fc5fc6 SL |
185 | "fipsinstall fails when the digest result is corrupted"); |
186 | ||
187 | # corrupt another digest | |
9f7bdcf3 | 188 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile, |
36fc5fc6 | 189 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 190 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 191 | '-section_name', 'fips_sect', '-corrupt_desc', 'SHA3'])), |
36fc5fc6 | 192 | "fipsinstall fails when the digest result is corrupted"); |
980a880e SL |
193 | |
194 | # corrupt DRBG | |
9f7bdcf3 | 195 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile, |
980a880e | 196 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 197 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 198 | '-section_name', 'fips_sect', '-corrupt_desc', 'CTR'])), |
980a880e | 199 | "fipsinstall fails when the DRBG CTR result is corrupted"); |
ec4d1b8f SL |
200 | |
201 | # corrupt a KAS test | |
a7a7643a MC |
202 | SKIP: { |
203 | skip "Skipping KAS DH corruption test because of no dh in this build", 1 | |
204 | if disabled("dh"); | |
205 | ||
97a8878c | 206 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
a7a7643a | 207 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 208 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 209 | '-section_name', 'fips_sect', |
a7a7643a MC |
210 | '-corrupt_desc', 'DH', |
211 | '-corrupt_type', 'KAT_KA'])), | |
212 | "fipsinstall fails when the kas result is corrupted"); | |
213 | } | |
ec4d1b8f SL |
214 | |
215 | # corrupt a Signature test | |
9be92bec MC |
216 | SKIP: { |
217 | skip "Skipping Signature DSA corruption test because of no dsa in this build", 1 | |
218 | if disabled("dsa"); | |
97a8878c | 219 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
9be92bec | 220 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
31214258 | 221 | '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey", |
9f7bdcf3 | 222 | '-section_name', 'fips_sect', |
9be92bec MC |
223 | '-corrupt_desc', 'DSA', |
224 | '-corrupt_type', 'KAT_Signature'])), | |
225 | "fipsinstall fails when the signature result is corrupted"); | |
226 | } | |
9f7bdcf3 | 227 | |
4343a418 SL |
228 | # corrupt an Asymmetric cipher test |
229 | SKIP: { | |
230 | skip "Skipping Asymmetric RSA corruption test because of no rsa in this build", 1 | |
231 | if disabled("rsa"); | |
232 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, | |
233 | '-corrupt_desc', 'RSA_Encrypt', | |
234 | '-corrupt_type', 'KAT_AsymmetricCipher'])), | |
235 | "fipsinstall fails when the asymmetric cipher result is corrupted"); | |
236 | } | |
237 | ||
e25b4db7 RL |
238 | # 'local' ensures that this change is only done in this file. |
239 | local $ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir()); | |
9f7bdcf3 SL |
240 | |
241 | ok(replace_parent_line_file('fips.cnf', 'fips_parent.cnf') | |
242 | && run(app(['openssl', 'fipsinstall', '-config', 'fips_parent.cnf'])), | |
243 | "verify fips provider loads from a configuration file"); | |
244 | ||
245 | ok(replace_parent_line_file('fips_no_module_mac.cnf', | |
246 | 'fips_parent_no_module_mac.cnf') | |
247 | && !run(app(['openssl', 'fipsinstall', | |
248 | '-config', 'fips_parent_no_module_mac.cnf'])), | |
249 | "verify load config fail no module mac"); | |
250 | ||
251 | ok(replace_parent_line_file('fips_no_install_mac.cnf', | |
252 | 'fips_parent_no_install_mac.cnf') | |
253 | && !run(app(['openssl', 'fipsinstall', | |
254 | '-config', 'fips_parent_no_install_mac.cnf'])), | |
255 | "verify load config fail no install mac"); | |
256 | ||
257 | ok(replace_parent_line_file('fips_bad_indicator.cnf', | |
258 | 'fips_parent_bad_indicator.cnf') | |
259 | && !run(app(['openssl', 'fipsinstall', | |
260 | '-config', 'fips_parent_bad_indicator.cnf'])), | |
261 | "verify load config fail bad indicator"); | |
262 | ||
263 | ||
264 | ok(replace_parent_line_file('fips_bad_install_mac.cnf', | |
265 | 'fips_parent_bad_install_mac.cnf') | |
266 | && !run(app(['openssl', 'fipsinstall', | |
267 | '-config', 'fips_parent_bad_install_mac.cnf'])), | |
268 | "verify load config fail bad install mac"); | |
269 | ||
270 | ok(replace_parent_line_file('fips_bad_module_mac.cnf', | |
271 | 'fips_parent_bad_module_mac.cnf') | |
272 | && !run(app(['openssl', 'fipsinstall', | |
273 | '-config', 'fips_parent_bad_module_mac.cnf'])), | |
274 | "verify load config fail bad module mac"); |