]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/recipes/03-test_fipsinstall.t
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Update copyright year
[thirdparty/openssl.git] / test / recipes / 03-test_fipsinstall.t
CommitLineData
95214b43 1#! /usr/bin/env perl
8020d79b 2# Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
95214b43
SL		 3#
4# Licensed under the Apache License 2.0 (the "License"). You may not use
5# this file except in compliance with the License. You can obtain a copy
6# in the file LICENSE in the source distribution or at
7# https://www.openssl.org/source/license.html
8
9use strict;
10use warnings;
11
e25b4db7 12use File::Spec::Functions qw(:DEFAULT abs2rel);
95214b43
SL		 13use File::Copy;
14use OpenSSL::Glob;
9f7bdcf3 15use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/;
95214b43
SL		 16use OpenSSL::Test::Utils;
17
18BEGIN {
19 setup("test_fipsinstall");
20}
21use lib srctop_dir('Configurations');
22use lib bldtop_dir('.');
23use platform;
24
25plan skip_all => "Test only supported in a fips build" if disabled("fips");
26
4343a418 27plan tests => 24;
95214b43
SL		 28
29my $infile = bldtop_file('providers', platform->dso('fips'));
31214258 30my $fipskey = $ENV{FIPSKEY} // '00';
95214b43 31
9f7bdcf3
SL		 32# Read in a text $infile and replace the regular expression in $srch with the
33# value in $repl and output to a new file $outfile.
34sub replace_line_file_internal {
35
36 my ($infile, $srch, $repl, $outfile) = @_;
37 my $msg;
38
39 open(my $in, "<", $infile) or return 0;
40 read($in, $msg, 1024);
41 close $in;
42
43 $msg =~ s/$srch/$repl/;
44
45 open(my $fh, ">", $outfile) or return 0;
46 print $fh $msg;
47 close $fh;
48 return 1;
49}
50
51# Read in the text input file 'fips.cnf'
52# and replace a single Key = Value line with a new value in $value.
53# OR remove the Key = Value line if the passed in $value is empty.
54# and then output a new file $outfile.
55# $key is the Key to find
56sub replace_line_file {
57 my ($key, $value, $outfile) = @_;
58
59 my $srch = qr/$key\s*=\s*\S*\n/;
60 my $rep;
61 if ($value eq "") {
62 $rep = "";
63 } else {
64 $rep = "$key = $value\n";
65 }
66 return replace_line_file_internal('fips.cnf', $srch, $rep, $outfile);
67}
68
69# Read in the text input file 'test/fips.cnf'
70# and replace the .cnf file used in
71# .include fipsmodule.cnf with a new value in $value.
72# and then output a new file $outfile.
73# $key is the Key to find
74sub replace_parent_line_file {
75 my ($value, $outfile) = @_;
76 my $srch = qr/fipsmodule.cnf/;
77 my $rep = "$value";
78 return replace_line_file_internal(srctop_file("test", 'fips.cnf'),
79 $srch, $rep, $outfile);
80}
81
be3acd79 82# fail if no module name
433deaff 83ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module',
95214b43 84 '-provider_name', 'fips',
31214258 85 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3 86 '-section_name', 'fips_sect'])),
be3acd79 87 "fipsinstall fail");
95214b43 88
be3acd79 89# fail to verify if the configuration file is missing
95214b43
SL		 90ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile,
91 '-provider_name', 'fips', '-mac_name', 'HMAC',
31214258 92 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3 93 '-section_name', 'fips_sect', '-verify'])),
be3acd79 94 "fipsinstall verify fail");
95214b43
SL		 95
96
433deaff
RS		 97# output a fips.cnf file containing mac data
98ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
95214b43 99 '-provider_name', 'fips', '-mac_name', 'HMAC',
31214258 100 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3 101 '-section_name', 'fips_sect'])),
be3acd79 102 "fipsinstall");
95214b43 103
433deaff
RS		 104# verify the fips.cnf file
105ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
95214b43 106 '-provider_name', 'fips', '-mac_name', 'HMAC',
31214258 107 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3 108 '-section_name', 'fips_sect', '-verify'])),
be3acd79 109 "fipsinstall verify");
95214b43 110
9f7bdcf3
SL		 111ok(replace_line_file('module-mac', '', 'fips_no_module_mac.cnf')
112 && !run(app(['openssl', 'fipsinstall',
113 '-in', 'fips_no_module_mac.cnf',
114 '-module', $infile,
115 '-provider_name', 'fips', '-mac_name', 'HMAC',
116 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
117 '-section_name', 'fips_sect', '-verify'])),
118 "fipsinstall verify fail no module mac");
119
120ok(replace_line_file('install-mac', '', 'fips_no_install_mac.cnf')
121 && !run(app(['openssl', 'fipsinstall',
122 '-in', 'fips_no_install_mac.cnf',
123 '-module', $infile,
124 '-provider_name', 'fips', '-mac_name', 'HMAC',
125 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
126 '-section_name', 'fips_sect', '-verify'])),
127 "fipsinstall verify fail no install indicator mac");
128
129ok(replace_line_file('module-mac', '00:00:00:00:00:00',
130 'fips_bad_module_mac.cnf')
131 && !run(app(['openssl', 'fipsinstall',
132 '-in', 'fips_bad_module_mac.cnf',
133 '-module', $infile,
134 '-provider_name', 'fips', '-mac_name', 'HMAC',
135 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
136 '-section_name', 'fips_sect', '-verify'])),
137 "fipsinstall verify fail if invalid module integrity value");
138
139ok(replace_line_file('install-mac', '00:00:00:00:00:00',
140 'fips_bad_install_mac.cnf')
141 && !run(app(['openssl', 'fipsinstall',
142 '-in', 'fips_bad_install_mac.cnf',
143 '-module', $infile,
144 '-provider_name', 'fips', '-mac_name', 'HMAC',
145 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
146 '-section_name', 'fips_sect', '-verify'])),
147 "fipsinstall verify fail if invalid install indicator integrity value");
148
149ok(replace_line_file('install-status', 'INCORRECT_STATUS_STRING',
150 'fips_bad_indicator.cnf')
151 && !run(app(['openssl', 'fipsinstall',
152 '-in', 'fips_bad_indicator.cnf',
153 '-module', $infile,
154 '-provider_name', 'fips', '-mac_name', 'HMAC',
155 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
156 '-section_name', 'fips_sect', '-verify'])),
157 "fipsinstall verify fail if invalid install indicator status");
158
433deaff
RS		 159# fail to verify the fips.cnf file if a different key is used
160ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
95214b43 161 '-provider_name', 'fips', '-mac_name', 'HMAC',
31214258 162 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
9f7bdcf3 163 '-section_name', 'fips_sect', '-verify'])),
be3acd79 164 "fipsinstall verify fail bad key");
95214b43 165
433deaff
RS		 166# fail to verify the fips.cnf file if a different mac digest is used
167ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
95214b43 168 '-provider_name', 'fips', '-mac_name', 'HMAC',
31214258 169 '-macopt', 'digest:SHA512', '-macopt', "hexkey:$fipskey",
9f7bdcf3 170 '-section_name', 'fips_sect', '-verify'])),
be3acd79 171 "fipsinstall verify fail incorrect digest");
36fc5fc6
SL		 172
173# corrupt the module hmac
433deaff 174ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
36fc5fc6 175 '-provider_name', 'fips', '-mac_name', 'HMAC',
31214258 176 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3 177 '-section_name', 'fips_sect', '-corrupt_desc', 'HMAC'])),
36fc5fc6
SL		 178 "fipsinstall fails when the module integrity is corrupted");
179
180# corrupt the first digest
9f7bdcf3 181ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
36fc5fc6 182 '-provider_name', 'fips', '-mac_name', 'HMAC',
31214258 183 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3 184 '-section_name', 'fips_sect', '-corrupt_desc', 'SHA1'])),
36fc5fc6
SL		 185 "fipsinstall fails when the digest result is corrupted");
186
187# corrupt another digest
9f7bdcf3 188ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
36fc5fc6 189 '-provider_name', 'fips', '-mac_name', 'HMAC',
31214258 190 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3 191 '-section_name', 'fips_sect', '-corrupt_desc', 'SHA3'])),
36fc5fc6 192 "fipsinstall fails when the digest result is corrupted");
980a880e
SL		 193
194# corrupt DRBG
9f7bdcf3 195ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
980a880e 196 '-provider_name', 'fips', '-mac_name', 'HMAC',
31214258 197 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3 198 '-section_name', 'fips_sect', '-corrupt_desc', 'CTR'])),
980a880e 199 "fipsinstall fails when the DRBG CTR result is corrupted");
ec4d1b8f
SL		 200
201# corrupt a KAS test
a7a7643a
MC		 202SKIP: {
203 skip "Skipping KAS DH corruption test because of no dh in this build", 1
204 if disabled("dh");
205
97a8878c 206 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
a7a7643a 207 '-provider_name', 'fips', '-mac_name', 'HMAC',
31214258 208 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3 209 '-section_name', 'fips_sect',
a7a7643a
MC		 210 '-corrupt_desc', 'DH',
211 '-corrupt_type', 'KAT_KA'])),
212 "fipsinstall fails when the kas result is corrupted");
213}
ec4d1b8f
SL		 214
215# corrupt a Signature test
9be92bec
MC		 216SKIP: {
217 skip "Skipping Signature DSA corruption test because of no dsa in this build", 1
218 if disabled("dsa");
97a8878c 219 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
9be92bec 220 '-provider_name', 'fips', '-mac_name', 'HMAC',
31214258 221 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3 222 '-section_name', 'fips_sect',
9be92bec
MC		 223 '-corrupt_desc', 'DSA',
224 '-corrupt_type', 'KAT_Signature'])),
225 "fipsinstall fails when the signature result is corrupted");
226}
9f7bdcf3 227
4343a418
SL		 228# corrupt an Asymmetric cipher test
229SKIP: {
230 skip "Skipping Asymmetric RSA corruption test because of no rsa in this build", 1
231 if disabled("rsa");
232 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
233 '-corrupt_desc', 'RSA_Encrypt',
234 '-corrupt_type', 'KAT_AsymmetricCipher'])),
235 "fipsinstall fails when the asymmetric cipher result is corrupted");
236}
237
e25b4db7
RL		 238# 'local' ensures that this change is only done in this file.
239local $ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir());
9f7bdcf3
SL		 240
241ok(replace_parent_line_file('fips.cnf', 'fips_parent.cnf')
242 && run(app(['openssl', 'fipsinstall', '-config', 'fips_parent.cnf'])),
243 "verify fips provider loads from a configuration file");
244
245ok(replace_parent_line_file('fips_no_module_mac.cnf',
246 'fips_parent_no_module_mac.cnf')
247 && !run(app(['openssl', 'fipsinstall',
248 '-config', 'fips_parent_no_module_mac.cnf'])),
249 "verify load config fail no module mac");
250
251ok(replace_parent_line_file('fips_no_install_mac.cnf',
252 'fips_parent_no_install_mac.cnf')
253 && !run(app(['openssl', 'fipsinstall',
254 '-config', 'fips_parent_no_install_mac.cnf'])),
255 "verify load config fail no install mac");
256
257ok(replace_parent_line_file('fips_bad_indicator.cnf',
258 'fips_parent_bad_indicator.cnf')
259 && !run(app(['openssl', 'fipsinstall',
260 '-config', 'fips_parent_bad_indicator.cnf'])),
261 "verify load config fail bad indicator");
262
263
264ok(replace_parent_line_file('fips_bad_install_mac.cnf',
265 'fips_parent_bad_install_mac.cnf')
266 && !run(app(['openssl', 'fipsinstall',
267 '-config', 'fips_parent_bad_install_mac.cnf'])),
268 "verify load config fail bad install mac");
269
270ok(replace_parent_line_file('fips_bad_module_mac.cnf',
271 'fips_parent_bad_module_mac.cnf')
272 && !run(app(['openssl', 'fipsinstall',
273 '-config', 'fips_parent_bad_module_mac.cnf'])),
274 "verify load config fail bad module mac");
A mirror of the official openssl repository