]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/recipes/03-test_fipsinstall.t
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
threads_pthread.c: change inline to ossl_inline
[thirdparty/openssl.git] / test / recipes / 03-test_fipsinstall.t
1 #! /usr/bin/env perl
2 # Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
3 #
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
8
9 use strict;
10 use warnings;
11
12 use File::Spec::Functions qw(:DEFAULT abs2rel);
13 use File::Copy;
14 use OpenSSL::Glob;
15 use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/;
16 use OpenSSL::Test::Utils;
17
18 BEGIN {
19 setup("test_fipsinstall");
20 }
21 use lib srctop_dir('Configurations');
22 use lib bldtop_dir('.');
23 use platform;
24
25 plan skip_all => "Test only supported in a fips build" if disabled("fips");
26
27 # Compatible options for pedantic FIPS compliance
28 my @pedantic_okay =
29 ( 'ems_check', 'no_drbg_truncated_digests', 'self_test_onload' );
30
31 # Incompatible options for pedantic FIPS compliance
32 my @pedantic_fail =
33 ( 'no_conditional_errors', 'no_security_checks', 'self_test_oninstall' );
34
35 plan tests => 35 + (scalar @pedantic_okay) + (scalar @pedantic_fail);
36
37 my $infile = bldtop_file('providers', platform->dso('fips'));
38 my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
39 my $provconf = srctop_file("test", "fips-and-base.cnf");
40
41 # Read in a text $infile and replace the regular expression in $srch with the
42 # value in $repl and output to a new file $outfile.
43 sub replace_line_file_internal {
44
45 my ($infile, $srch, $repl, $outfile) = @_;
46 my $msg;
47
48 open(my $in, "<", $infile) or return 0;
49 read($in, $msg, 1024);
50 close $in;
51
52 $msg =~ s/$srch/$repl/;
53
54 open(my $fh, ">", $outfile) or return 0;
55 print $fh $msg;
56 close $fh;
57 return 1;
58 }
59
60 # Read in the text input file 'fips.cnf'
61 # and replace a single Key = Value line with a new value in $value.
62 # OR remove the Key = Value line if the passed in $value is empty.
63 # and then output a new file $outfile.
64 # $key is the Key to find
65 sub replace_line_file {
66 my ($key, $value, $outfile) = @_;
67
68 my $srch = qr/$key\s*=\s*\S*\n/;
69 my $rep;
70 if ($value eq "") {
71 $rep = "";
72 } else {
73 $rep = "$key = $value\n";
74 }
75 return replace_line_file_internal('fips.cnf', $srch, $rep, $outfile);
76 }
77
78 # Read in the text input file 'test/fips.cnf'
79 # and replace the .cnf file used in
80 # .include fipsmodule.cnf with a new value in $value.
81 # and then output a new file $outfile.
82 # $key is the Key to find
83 sub replace_parent_line_file {
84 my ($value, $outfile) = @_;
85 my $srch = qr/fipsmodule.cnf/;
86 my $rep = "$value";
87 return replace_line_file_internal(srctop_file("test", 'fips.cnf'),
88 $srch, $rep, $outfile);
89 }
90
91 # Check if the specified pattern occurs in the given file
92 # Returns 1 if the pattern is found and 0 if not
93 sub find_line_file {
94 my ($key, $file) = @_;
95
96 open(my $in, $file) or return -1;
97 while (my $line = <$in>) {
98 if ($line =~ /$key/) {
99 close($in);
100 return 1;
101 }
102 }
103 close($in);
104 return 0;
105 }
106
107 # fail if no module name
108 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module',
109 '-provider_name', 'fips',
110 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
111 '-section_name', 'fips_sect'])),
112 "fipsinstall fail");
113
114 # fail to verify if the configuration file is missing
115 ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile,
116 '-provider_name', 'fips', '-mac_name', 'HMAC',
117 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
118 '-section_name', 'fips_sect', '-verify'])),
119 "fipsinstall verify fail");
120
121
122 # output a fips.cnf file containing mac data
123 ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
124 '-provider_name', 'fips', '-mac_name', 'HMAC',
125 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
126 '-section_name', 'fips_sect'])),
127 "fipsinstall");
128
129 # verify the fips.cnf file
130 ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
131 '-provider_name', 'fips', '-mac_name', 'HMAC',
132 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
133 '-section_name', 'fips_sect', '-verify'])),
134 "fipsinstall verify");
135
136 ok(replace_line_file('module-mac', '', 'fips_no_module_mac.cnf')
137 && !run(app(['openssl', 'fipsinstall',
138 '-in', 'fips_no_module_mac.cnf',
139 '-module', $infile,
140 '-provider_name', 'fips', '-mac_name', 'HMAC',
141 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
142 '-section_name', 'fips_sect', '-verify'])),
143 "fipsinstall verify fail no module mac");
144
145 ok(replace_line_file('install-mac', '', 'fips_no_install_mac.cnf')
146 && !run(app(['openssl', 'fipsinstall',
147 '-in', 'fips_no_install_mac.cnf',
148 '-module', $infile,
149 '-provider_name', 'fips', '-mac_name', 'HMAC',
150 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
151 '-section_name', 'fips_sect', '-verify'])),
152 "fipsinstall verify fail no install indicator mac");
153
154 ok(replace_line_file('module-mac', '00:00:00:00:00:00',
155 'fips_bad_module_mac.cnf')
156 && !run(app(['openssl', 'fipsinstall',
157 '-in', 'fips_bad_module_mac.cnf',
158 '-module', $infile,
159 '-provider_name', 'fips', '-mac_name', 'HMAC',
160 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
161 '-section_name', 'fips_sect', '-verify'])),
162 "fipsinstall verify fail if invalid module integrity value");
163
164 ok(replace_line_file('install-mac', '00:00:00:00:00:00',
165 'fips_bad_install_mac.cnf')
166 && !run(app(['openssl', 'fipsinstall',
167 '-in', 'fips_bad_install_mac.cnf',
168 '-module', $infile,
169 '-provider_name', 'fips', '-mac_name', 'HMAC',
170 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
171 '-section_name', 'fips_sect', '-verify'])),
172 "fipsinstall verify fail if invalid install indicator integrity value");
173
174 ok(replace_line_file('install-status', 'INCORRECT_STATUS_STRING',
175 'fips_bad_indicator.cnf')
176 && !run(app(['openssl', 'fipsinstall',
177 '-in', 'fips_bad_indicator.cnf',
178 '-module', $infile,
179 '-provider_name', 'fips', '-mac_name', 'HMAC',
180 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
181 '-section_name', 'fips_sect', '-verify'])),
182 "fipsinstall verify fail if invalid install indicator status");
183
184 # fail to verify the fips.cnf file if a different key is used
185 ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
186 '-provider_name', 'fips', '-mac_name', 'HMAC',
187 '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
188 '-section_name', 'fips_sect', '-verify'])),
189 "fipsinstall verify fail bad key");
190
191 # fail to verify the fips.cnf file if a different mac digest is used
192 ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
193 '-provider_name', 'fips', '-mac_name', 'HMAC',
194 '-macopt', 'digest:SHA512', '-macopt', "hexkey:$fipskey",
195 '-section_name', 'fips_sect', '-verify'])),
196 "fipsinstall verify fail incorrect digest");
197
198 # corrupt the module hmac
199 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
200 '-provider_name', 'fips', '-mac_name', 'HMAC',
201 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
202 '-section_name', 'fips_sect', '-corrupt_desc', 'HMAC'])),
203 "fipsinstall fails when the module integrity is corrupted");
204
205 # corrupt the first digest
206 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
207 '-provider_name', 'fips', '-mac_name', 'HMAC',
208 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
209 '-section_name', 'fips_sect', '-corrupt_desc', 'SHA1'])),
210 "fipsinstall fails when the digest result is corrupted");
211
212 # corrupt another digest
213 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
214 '-provider_name', 'fips', '-mac_name', 'HMAC',
215 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
216 '-section_name', 'fips_sect', '-corrupt_desc', 'SHA3'])),
217 "fipsinstall fails when the digest result is corrupted");
218
219 # corrupt cipher encrypt test
220 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
221 '-provider_name', 'fips', '-mac_name', 'HMAC',
222 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
223 '-section_name', 'fips_sect', '-corrupt_desc', 'AES_GCM'])),
224 "fipsinstall fails when the AES_GCM result is corrupted");
225
226 # corrupt cipher decrypt test
227 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
228 '-provider_name', 'fips', '-mac_name', 'HMAC',
229 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
230 '-section_name', 'fips_sect', '-corrupt_desc', 'AES_ECB_Decrypt'])),
231 "fipsinstall fails when the AES_ECB result is corrupted");
232
233 # corrupt DRBG
234 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
235 '-provider_name', 'fips', '-mac_name', 'HMAC',
236 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
237 '-section_name', 'fips_sect', '-corrupt_desc', 'CTR'])),
238 "fipsinstall fails when the DRBG CTR result is corrupted");
239
240 # corrupt a KAS test
241 SKIP: {
242 skip "Skipping KAS DH corruption test because of no dh in this build", 1
243 if disabled("dh");
244
245 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
246 '-provider_name', 'fips', '-mac_name', 'HMAC',
247 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
248 '-section_name', 'fips_sect',
249 '-corrupt_desc', 'DH',
250 '-corrupt_type', 'KAT_KA'])),
251 "fipsinstall fails when the kas result is corrupted");
252 }
253
254 # corrupt a Signature test - 140-3 requires a known answer test
255 SKIP: {
256 skip "Skipping Signature DSA corruption test because of no dsa in this build", 1
257 if disabled("dsa");
258
259 run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
260 capture => 1, statusvar => \my $exit);
261 skip "FIPS provider version is too old for KAT DSA signature test", 1
262 if !$exit;
263 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
264 '-provider_name', 'fips', '-mac_name', 'HMAC',
265 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
266 '-section_name', 'fips_sect', '-self_test_oninstall',
267 '-corrupt_desc', 'DSA',
268 '-corrupt_type', 'KAT_Signature'])),
269 "fipsinstall fails when the signature result is corrupted");
270 }
271
272 # corrupt a Signature test - 140-2 allows a pairwise consistency test
273 SKIP: {
274 skip "Skipping Signature DSA corruption test because of no dsa in this build", 1
275 if disabled("dsa");
276
277 run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]),
278 capture => 1, statusvar => \my $exit);
279 skip "FIPS provider version is too new for PCT DSA signature test", 1
280 if !$exit;
281 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
282 '-provider_name', 'fips', '-mac_name', 'HMAC',
283 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
284 '-section_name', 'fips_sect',
285 '-corrupt_desc', 'DSA',
286 '-corrupt_type', 'PCT_Signature'])),
287 "fipsinstall fails when the signature result is corrupted");
288 }
289
290 # corrupt an Asymmetric cipher test
291 SKIP: {
292 skip "Skipping Asymmetric RSA corruption test because of no rsa in this build", 1
293 if disabled("rsa");
294 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
295 '-corrupt_desc', 'RSA_Encrypt',
296 '-corrupt_type', 'KAT_AsymmetricCipher'])),
297 "fipsinstall fails when the asymmetric cipher result is corrupted");
298 }
299
300 # 'local' ensures that this change is only done in this file.
301 local $ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir());
302
303 ok(replace_parent_line_file('fips.cnf', 'fips_parent.cnf')
304 && run(app(['openssl', 'fipsinstall', '-config', 'fips_parent.cnf'])),
305 "verify fips provider loads from a configuration file");
306
307 ok(replace_parent_line_file('fips_no_module_mac.cnf',
308 'fips_parent_no_module_mac.cnf')
309 && !run(app(['openssl', 'fipsinstall',
310 '-config', 'fips_parent_no_module_mac.cnf'])),
311 "verify load config fail no module mac");
312
313 SKIP: {
314 run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]),
315 capture => 1, statusvar => \my $exit);
316 skip "FIPS provider version doesn't support self test indicator", 3
317 if !$exit;
318
319 ok(replace_parent_line_file('fips_no_install_mac.cnf',
320 'fips_parent_no_install_mac.cnf')
321 && !run(app(['openssl', 'fipsinstall',
322 '-config', 'fips_parent_no_install_mac.cnf'])),
323 "verify load config fail no install mac");
324
325 ok(replace_parent_line_file('fips_bad_indicator.cnf',
326 'fips_parent_bad_indicator.cnf')
327 && !run(app(['openssl', 'fipsinstall',
328 '-config', 'fips_parent_bad_indicator.cnf'])),
329 "verify load config fail bad indicator");
330
331
332 ok(replace_parent_line_file('fips_bad_install_mac.cnf',
333 'fips_parent_bad_install_mac.cnf')
334 && !run(app(['openssl', 'fipsinstall',
335 '-config', 'fips_parent_bad_install_mac.cnf'])),
336 "verify load config fail bad install mac");
337 }
338
339 ok(replace_parent_line_file('fips_bad_module_mac.cnf',
340 'fips_parent_bad_module_mac.cnf')
341 && !run(app(['openssl', 'fipsinstall',
342 '-config', 'fips_parent_bad_module_mac.cnf'])),
343 "verify load config fail bad module mac");
344
345 SKIP: {
346 run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]),
347 capture => 1, statusvar => \my $exit);
348 skip "FIPS provider version doesn't support self test indicator", 3
349 if !$exit;
350
351 my $stconf = "fipsmodule_selftest.cnf";
352
353 ok(run(app(['openssl', 'fipsinstall', '-out', $stconf,
354 '-module', $infile, '-self_test_onload'])),
355 "fipsinstall config saved without self test indicator");
356
357 ok(!run(app(['openssl', 'fipsinstall', '-in', $stconf,
358 '-module', $infile, '-verify'])),
359 "fipsinstall config verify fails without self test indicator");
360
361 ok(run(app(['openssl', 'fipsinstall', '-in', $stconf,
362 '-module', $infile, '-self_test_onload', '-verify'])),
363 "fipsinstall config verify passes when self test indicator is not present");
364 }
365
366 SKIP: {
367 run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
368 capture => 1, statusvar => \my $exit);
369 skip "FIPS provider version can run self tests on install", 1
370 if !$exit;
371 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
372 '-provider_name', 'fips', '-mac_name', 'HMAC',
373 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
374 '-section_name', 'fips_sect', '-self_test_oninstall',
375 '-ems_check'])),
376 "fipsinstall fails when attempting to run self tests on install");
377 }
378
379 ok(find_line_file('drbg-no-trunc-md = 0', 'fips.cnf') == 1,
380 'fipsinstall defaults to not banning truncated digests with DRBGs');
381
382 ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
383 '-provider_name', 'fips', '-mac_name', 'HMAC',
384 '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
385 '-section_name', 'fips_sect', '-no_drbg_truncated_digests'])),
386 "fipsinstall knows about allowing truncated digests in DRBGs");
387
388 ok(find_line_file('drbg-no-trunc-md = 1', 'fips.cnf') == 1,
389 'fipsinstall will allow option for truncated digests with DRBGs');
390
391
392 ok(run(app(['openssl', 'fipsinstall', '-out', 'fips-pedantic.cnf',
393 '-module', $infile, '-pedantic'])),
394 "fipsinstall accepts -pedantic option");
395
396 foreach my $o (@pedantic_okay) {
397 ok(run(app(['openssl', 'fipsinstall', '-out', "fips-${o}.cnf",
398 '-module', $infile, '-pedantic', "-${o}"])),
399 "fipsinstall accepts -${o} after -pedantic option");
400 }
401
402 foreach my $o (@pedantic_fail) {
403 ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf',
404 '-module', $infile, '-pedantic', "-${o}"])),
405 "fipsinstall disallows -${o} after -pedantic option");
406 }
407
A mirror of the official openssl repository