[thirdparty/openssl.git] / test / recipes / 03-test_fipsinstall.t

#! /usr/bin/env perl
# Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License").  You may not use
# this file except in compliance with the License.  You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html

use strict;
use warnings;

use File::Spec::Functions qw(:DEFAULT abs2rel);
use File::Copy;
use OpenSSL::Glob;
use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/;
use OpenSSL::Test::Utils;

BEGIN {
    setup("test_fipsinstall");
}
use lib srctop_dir('Configurations');
use lib bldtop_dir('.');
use platform;

plan skip_all => "Test only supported in a fips build" if disabled("fips");

# Compatible options for pedantic FIPS compliance
my @pedantic_okay =
    ( 'ems_check', 'no_drbg_truncated_digests', 'self_test_onload' );

# Incompatible options for pedantic FIPS compliance
my @pedantic_fail =
    ( 'no_conditional_errors', 'no_security_checks', 'self_test_oninstall' );

plan tests => 35 + (scalar @pedantic_okay) + (scalar @pedantic_fail);

my $infile = bldtop_file('providers', platform->dso('fips'));
my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
my $provconf = srctop_file("test", "fips-and-base.cnf");

# Read in a text $infile and replace the regular expression in $srch with the
# value in $repl and output to a new file $outfile.
sub replace_line_file_internal {

    my ($infile, $srch, $repl, $outfile) = @_;
    my $msg;

    open(my $in, "<", $infile) or return 0;
    read($in, $msg, 1024);
    close $in;

    $msg =~ s/$srch/$repl/;

    open(my $fh, ">", $outfile) or return 0;
    print $fh $msg;
    close $fh;
    return 1;
}

# Read in the text input file 'fips.cnf'
# and replace a single Key = Value line with a new value in $value.
# OR remove the Key = Value line if the passed in $value is empty.
# and then output a new file $outfile.
# $key is the Key to find
sub replace_line_file {
    my ($key, $value, $outfile) = @_;

    my $srch = qr/$key\s*=\s*\S*\n/;
    my $rep;
    if ($value eq "") {
        $rep = "";
    } else {
       $rep = "$key = $value\n";
    }
    return replace_line_file_internal('fips.cnf', $srch, $rep, $outfile);
}

# Read in the text input file 'test/fips.cnf'
# and replace the .cnf file used in
# .include fipsmodule.cnf with a new value in $value.
# and then output a new file $outfile.
# $key is the Key to find
sub replace_parent_line_file {
    my ($value, $outfile) = @_;
    my $srch = qr/fipsmodule.cnf/;
    my $rep = "$value";
    return replace_line_file_internal(srctop_file("test", 'fips.cnf'),
                                      $srch, $rep, $outfile);
}

# Check if the specified pattern occurs in the given file
# Returns 1 if the pattern is found and 0 if not
sub find_line_file {
    my ($key, $file) = @_;

    open(my $in, $file) or return -1;
    while (my $line = <$in>) {
        if ($line =~ /$key/) {
            close($in);
            return 1;
        }
    }
    close($in);
    return 0;
}

# fail if no module name
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module',
             '-provider_name', 'fips',
             '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
             '-section_name', 'fips_sect'])),
   "fipsinstall fail");

# fail to verify if the configuration file is missing
ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile,
             '-provider_name', 'fips', '-mac_name', 'HMAC',
             '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
             '-section_name', 'fips_sect', '-verify'])),
   "fipsinstall verify fail");


# output a fips.cnf file containing mac data
ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
            '-provider_name', 'fips', '-mac_name', 'HMAC',
            '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
            '-section_name', 'fips_sect'])),
   "fipsinstall");

# verify the fips.cnf file
ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
            '-provider_name', 'fips', '-mac_name', 'HMAC',
            '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
            '-section_name', 'fips_sect', '-verify'])),
   "fipsinstall verify");

ok(replace_line_file('module-mac', '', 'fips_no_module_mac.cnf')
   && !run(app(['openssl', 'fipsinstall',
                '-in', 'fips_no_module_mac.cnf',
                '-module', $infile,
                '-provider_name', 'fips', '-mac_name', 'HMAC',
                '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
                '-section_name', 'fips_sect', '-verify'])),
   "fipsinstall verify fail no module mac");

ok(replace_line_file('install-mac', '', 'fips_no_install_mac.cnf')
   && !run(app(['openssl', 'fipsinstall',
                '-in', 'fips_no_install_mac.cnf',
                '-module', $infile,
                '-provider_name', 'fips', '-mac_name', 'HMAC',
                '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
                '-section_name', 'fips_sect', '-verify'])),
   "fipsinstall verify fail no install indicator mac");

ok(replace_line_file('module-mac', '00:00:00:00:00:00',
                     'fips_bad_module_mac.cnf')
   && !run(app(['openssl', 'fipsinstall',
                '-in', 'fips_bad_module_mac.cnf',
                '-module', $infile,
                '-provider_name', 'fips', '-mac_name', 'HMAC',
                '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
                '-section_name', 'fips_sect', '-verify'])),
   "fipsinstall verify fail if invalid module integrity value");

ok(replace_line_file('install-mac', '00:00:00:00:00:00',
                     'fips_bad_install_mac.cnf')
   && !run(app(['openssl', 'fipsinstall',
                '-in', 'fips_bad_install_mac.cnf',
                '-module', $infile,
                '-provider_name', 'fips', '-mac_name', 'HMAC',
                '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
                '-section_name', 'fips_sect', '-verify'])),
   "fipsinstall verify fail if invalid install indicator integrity value");

ok(replace_line_file('install-status', 'INCORRECT_STATUS_STRING',
                     'fips_bad_indicator.cnf')
   && !run(app(['openssl', 'fipsinstall',
                '-in', 'fips_bad_indicator.cnf',
                '-module', $infile,
                '-provider_name', 'fips', '-mac_name', 'HMAC',
                '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
                '-section_name', 'fips_sect', '-verify'])),
   "fipsinstall verify fail if invalid install indicator status");

# fail to verify the fips.cnf file if a different key is used
ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
             '-provider_name', 'fips', '-mac_name', 'HMAC',
             '-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
             '-section_name', 'fips_sect', '-verify'])),
   "fipsinstall verify fail bad key");

# fail to verify the fips.cnf file if a different mac digest is used
ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
             '-provider_name', 'fips', '-mac_name', 'HMAC',
             '-macopt', 'digest:SHA512', '-macopt', "hexkey:$fipskey",
             '-section_name', 'fips_sect', '-verify'])),
   "fipsinstall verify fail incorrect digest");

# corrupt the module hmac
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
            '-provider_name', 'fips', '-mac_name', 'HMAC',
            '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
            '-section_name', 'fips_sect', '-corrupt_desc', 'HMAC'])),
   "fipsinstall fails when the module integrity is corrupted");

# corrupt the first digest
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
            '-provider_name', 'fips', '-mac_name', 'HMAC',
            '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
            '-section_name', 'fips_sect', '-corrupt_desc', 'SHA1'])),
   "fipsinstall fails when the digest result is corrupted");

# corrupt another digest
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
            '-provider_name', 'fips', '-mac_name', 'HMAC',
            '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
            '-section_name', 'fips_sect', '-corrupt_desc', 'SHA3'])),
   "fipsinstall fails when the digest result is corrupted");

# corrupt cipher encrypt test
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
            '-provider_name', 'fips', '-mac_name', 'HMAC',
            '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
            '-section_name', 'fips_sect', '-corrupt_desc', 'AES_GCM'])),
   "fipsinstall fails when the AES_GCM result is corrupted");

# corrupt cipher decrypt test
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
            '-provider_name', 'fips', '-mac_name', 'HMAC',
            '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
            '-section_name', 'fips_sect', '-corrupt_desc', 'AES_ECB_Decrypt'])),
   "fipsinstall fails when the AES_ECB result is corrupted");

# corrupt DRBG
ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
            '-provider_name', 'fips', '-mac_name', 'HMAC',
            '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
            '-section_name', 'fips_sect', '-corrupt_desc', 'CTR'])),
   "fipsinstall fails when the DRBG CTR result is corrupted");

# corrupt a KAS test
SKIP: {
    skip "Skipping KAS DH corruption test because of no dh in this build", 1
        if disabled("dh");

    ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
                '-provider_name', 'fips', '-mac_name', 'HMAC',
                '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
                '-section_name', 'fips_sect',
                '-corrupt_desc', 'DH',
                '-corrupt_type', 'KAT_KA'])),
       "fipsinstall fails when the kas result is corrupted");
}

# corrupt a Signature test - 140-3 requires a known answer test
SKIP: {
    skip "Skipping Signature DSA corruption test because of no dsa in this build", 1
        if disabled("dsa");

    run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
             capture => 1, statusvar => \my $exit);
    skip "FIPS provider version is too old for KAT DSA signature test", 1
        if !$exit;
    ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
                '-provider_name', 'fips', '-mac_name', 'HMAC',
                '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
                '-section_name', 'fips_sect', '-self_test_oninstall',
                '-corrupt_desc', 'DSA',
                '-corrupt_type', 'KAT_Signature'])),
       "fipsinstall fails when the signature result is corrupted");
}

# corrupt a Signature test - 140-2 allows a pairwise consistency test
SKIP: {
    skip "Skipping Signature DSA corruption test because of no dsa in this build", 1
        if disabled("dsa");

    run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]),
             capture => 1, statusvar => \my $exit);
    skip "FIPS provider version is too new for PCT DSA signature test", 1
        if !$exit;
    ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
                '-provider_name', 'fips', '-mac_name', 'HMAC',
                '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
                '-section_name', 'fips_sect',
                '-corrupt_desc', 'DSA',
                '-corrupt_type', 'PCT_Signature'])),
       "fipsinstall fails when the signature result is corrupted");
}

# corrupt an Asymmetric cipher test
SKIP: {
    skip "Skipping Asymmetric RSA corruption test because of no rsa in this build", 1
        if disabled("rsa");
    ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
                '-corrupt_desc', 'RSA_Encrypt',
                '-corrupt_type', 'KAT_AsymmetricCipher'])),
       "fipsinstall fails when the asymmetric cipher result is corrupted");
}

# 'local' ensures that this change is only done in this file.
local $ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir());

ok(replace_parent_line_file('fips.cnf', 'fips_parent.cnf')
   && run(app(['openssl', 'fipsinstall', '-config', 'fips_parent.cnf'])),
   "verify fips provider loads from a configuration file");

ok(replace_parent_line_file('fips_no_module_mac.cnf',
                            'fips_parent_no_module_mac.cnf')
   && !run(app(['openssl', 'fipsinstall',
                '-config', 'fips_parent_no_module_mac.cnf'])),
   "verify load config fail no module mac");

SKIP: {
    run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]),
             capture => 1, statusvar => \my $exit);
    skip "FIPS provider version doesn't support self test indicator", 3
        if !$exit;

    ok(replace_parent_line_file('fips_no_install_mac.cnf',
                                'fips_parent_no_install_mac.cnf')
       && !run(app(['openssl', 'fipsinstall',
                    '-config', 'fips_parent_no_install_mac.cnf'])),
       "verify load config fail no install mac");

    ok(replace_parent_line_file('fips_bad_indicator.cnf',
                                'fips_parent_bad_indicator.cnf')
       && !run(app(['openssl', 'fipsinstall',
                    '-config', 'fips_parent_bad_indicator.cnf'])),
       "verify load config fail bad indicator");


    ok(replace_parent_line_file('fips_bad_install_mac.cnf',
                                'fips_parent_bad_install_mac.cnf')
       && !run(app(['openssl', 'fipsinstall',
                    '-config', 'fips_parent_bad_install_mac.cnf'])),
       "verify load config fail bad install mac");
}

ok(replace_parent_line_file('fips_bad_module_mac.cnf',
                            'fips_parent_bad_module_mac.cnf')
   && !run(app(['openssl', 'fipsinstall',
                '-config', 'fips_parent_bad_module_mac.cnf'])),
   "verify load config fail bad module mac");

SKIP: {
    run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]),
             capture => 1, statusvar => \my $exit);
    skip "FIPS provider version doesn't support self test indicator", 3
        if !$exit;

    my $stconf = "fipsmodule_selftest.cnf";

    ok(run(app(['openssl', 'fipsinstall', '-out', $stconf,
                '-module', $infile, '-self_test_onload'])),
           "fipsinstall config saved without self test indicator");

    ok(!run(app(['openssl', 'fipsinstall', '-in', $stconf,
                 '-module', $infile, '-verify'])),
            "fipsinstall config verify fails without self test indicator");

    ok(run(app(['openssl', 'fipsinstall', '-in', $stconf,
                '-module', $infile, '-self_test_onload', '-verify'])),
           "fipsinstall config verify passes when self test indicator is not present");
}

SKIP: {
    run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
             capture => 1, statusvar => \my $exit);
    skip "FIPS provider version can run self tests on install", 1
        if !$exit;
    ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
                '-provider_name', 'fips', '-mac_name', 'HMAC',
                '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
                '-section_name', 'fips_sect', '-self_test_oninstall',
                '-ems_check'])),
       "fipsinstall fails when attempting to run self tests on install");
}

ok(find_line_file('drbg-no-trunc-md = 0', 'fips.cnf') == 1,
   'fipsinstall defaults to not banning truncated digests with DRBGs');

ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
           '-provider_name', 'fips', '-mac_name', 'HMAC',
           '-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
           '-section_name', 'fips_sect', '-no_drbg_truncated_digests'])),
   "fipsinstall knows about allowing truncated digests in DRBGs");

ok(find_line_file('drbg-no-trunc-md = 1', 'fips.cnf') == 1,
   'fipsinstall will allow option for truncated digests with DRBGs');


ok(run(app(['openssl', 'fipsinstall', '-out', 'fips-pedantic.cnf',
            '-module', $infile, '-pedantic'])),
       "fipsinstall accepts -pedantic option");

foreach my $o (@pedantic_okay) {
    ok(run(app(['openssl', 'fipsinstall', '-out', "fips-${o}.cnf",
                '-module', $infile, '-pedantic', "-${o}"])),
           "fipsinstall accepts -${o} after -pedantic option");
}

foreach my $o (@pedantic_fail) {
    ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf',
                 '-module', $infile, '-pedantic', "-${o}"])),
            "fipsinstall disallows -${o} after -pedantic option");
}
Commit	Line	Data
95214b43	1	#! /usr/bin/env perl
da1c088f	2	# Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
95214b43 SL	3	#
	4	# Licensed under the Apache License 2.0 (the "License"). You may not use
	5	# this file except in compliance with the License. You can obtain a copy
	6	# in the file LICENSE in the source distribution or at
	7	# https://www.openssl.org/source/license.html
	8
	9	use strict;
	10	use warnings;
	11
e25b4db7	12	use File::Spec::Functions qw(:DEFAULT abs2rel);
95214b43 SL	13	use File::Copy;
95214b43 SL	14	use OpenSSL::Glob;
9f7bdcf3	15	use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/;
95214b43 SL	16	use OpenSSL::Test::Utils;
	17
	18	BEGIN {
	19	setup("test_fipsinstall");
	20	}
	21	use lib srctop_dir('Configurations');
	22	use lib bldtop_dir('.');
	23	use platform;
	24
	25	plan skip_all => "Test only supported in a fips build" if disabled("fips");
	26
c8093347 P	27	# Compatible options for pedantic FIPS compliance
	28	my @pedantic_okay =
	29	( 'ems_check', 'no_drbg_truncated_digests', 'self_test_onload' );
	30
	31	# Incompatible options for pedantic FIPS compliance
	32	my @pedantic_fail =
	33	( 'no_conditional_errors', 'no_security_checks', 'self_test_oninstall' );
	34
	35	plan tests => 35 + (scalar @pedantic_okay) + (scalar @pedantic_fail);
95214b43 SL	36
95214b43 SL	37	my $infile = bldtop_file('providers', platform->dso('fips'));
ffc22e03	38	my $fipskey = $ENV{FIPSKEY} // config('FIPSKEY') // '00';
6e38ac39	39	my $provconf = srctop_file("test", "fips-and-base.cnf");
95214b43	40
9f7bdcf3 SL	41	# Read in a text $infile and replace the regular expression in $srch with the
	42	# value in $repl and output to a new file $outfile.
	43	sub replace_line_file_internal {
	44
	45	my ($infile, $srch, $repl, $outfile) = @_;
	46	my $msg;
	47
	48	open(my $in, "<", $infile) or return 0;
	49	read($in, $msg, 1024);
	50	close $in;
	51
	52	$msg =~ s/$srch/$repl/;
	53
	54	open(my $fh, ">", $outfile) or return 0;
	55	print $fh $msg;
	56	close $fh;
	57	return 1;
	58	}
	59
	60	# Read in the text input file 'fips.cnf'
	61	# and replace a single Key = Value line with a new value in $value.
	62	# OR remove the Key = Value line if the passed in $value is empty.
	63	# and then output a new file $outfile.
	64	# $key is the Key to find
	65	sub replace_line_file {
	66	my ($key, $value, $outfile) = @_;
	67
	68	my $srch = qr/$key\s=\s\S*\n/;
	69	my $rep;
	70	if ($value eq "") {
	71	$rep = "";
	72	} else {
	73	$rep = "$key = $value\n";
	74	}
	75	return replace_line_file_internal('fips.cnf', $srch, $rep, $outfile);
	76	}
	77
	78	# Read in the text input file 'test/fips.cnf'
	79	# and replace the .cnf file used in
	80	# .include fipsmodule.cnf with a new value in $value.
	81	# and then output a new file $outfile.
	82	# $key is the Key to find
	83	sub replace_parent_line_file {
	84	my ($value, $outfile) = @_;
	85	my $srch = qr/fipsmodule.cnf/;
	86	my $rep = "$value";
	87	return replace_line_file_internal(srctop_file("test", 'fips.cnf'),
	88	$srch, $rep, $outfile);
	89	}
	90
78bcbc1e P	91	# Check if the specified pattern occurs in the given file
	92	# Returns 1 if the pattern is found and 0 if not
	93	sub find_line_file {
	94	my ($key, $file) = @_;
	95
	96	open(my $in, $file) or return -1;
	97	while (my $line = <$in>) {
	98	if ($line =~ /$key/) {
	99	close($in);
	100	return 1;
	101	}
	102	}
	103	close($in);
	104	return 0;
	105	}
	106
be3acd79	107	# fail if no module name
433deaff	108	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module',
95214b43	109	'-provider_name', 'fips',
31214258	110	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3	111	'-section_name', 'fips_sect'])),
be3acd79	112	"fipsinstall fail");
95214b43	113
be3acd79	114	# fail to verify if the configuration file is missing
95214b43 SL	115	ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile,
95214b43 SL	116	'-provider_name', 'fips', '-mac_name', 'HMAC',
31214258	117	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3	118	'-section_name', 'fips_sect', '-verify'])),
be3acd79	119	"fipsinstall verify fail");
95214b43 SL	120
95214b43 SL	121
433deaff RS	122	# output a fips.cnf file containing mac data
433deaff RS	123	ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
95214b43	124	'-provider_name', 'fips', '-mac_name', 'HMAC',
31214258	125	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3	126	'-section_name', 'fips_sect'])),
be3acd79	127	"fipsinstall");
95214b43	128
433deaff RS	129	# verify the fips.cnf file
433deaff RS	130	ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
95214b43	131	'-provider_name', 'fips', '-mac_name', 'HMAC',
31214258	132	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3	133	'-section_name', 'fips_sect', '-verify'])),
be3acd79	134	"fipsinstall verify");
95214b43	135
9f7bdcf3 SL	136	ok(replace_line_file('module-mac', '', 'fips_no_module_mac.cnf')
	137	&& !run(app(['openssl', 'fipsinstall',
	138	'-in', 'fips_no_module_mac.cnf',
	139	'-module', $infile,
	140	'-provider_name', 'fips', '-mac_name', 'HMAC',
	141	'-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
	142	'-section_name', 'fips_sect', '-verify'])),
	143	"fipsinstall verify fail no module mac");
	144
	145	ok(replace_line_file('install-mac', '', 'fips_no_install_mac.cnf')
	146	&& !run(app(['openssl', 'fipsinstall',
	147	'-in', 'fips_no_install_mac.cnf',
	148	'-module', $infile,
	149	'-provider_name', 'fips', '-mac_name', 'HMAC',
	150	'-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
	151	'-section_name', 'fips_sect', '-verify'])),
	152	"fipsinstall verify fail no install indicator mac");
	153
	154	ok(replace_line_file('module-mac', '00:00:00:00:00:00',
	155	'fips_bad_module_mac.cnf')
	156	&& !run(app(['openssl', 'fipsinstall',
	157	'-in', 'fips_bad_module_mac.cnf',
	158	'-module', $infile,
	159	'-provider_name', 'fips', '-mac_name', 'HMAC',
	160	'-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
	161	'-section_name', 'fips_sect', '-verify'])),
	162	"fipsinstall verify fail if invalid module integrity value");
	163
	164	ok(replace_line_file('install-mac', '00:00:00:00:00:00',
	165	'fips_bad_install_mac.cnf')
	166	&& !run(app(['openssl', 'fipsinstall',
	167	'-in', 'fips_bad_install_mac.cnf',
	168	'-module', $infile,
	169	'-provider_name', 'fips', '-mac_name', 'HMAC',
	170	'-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
	171	'-section_name', 'fips_sect', '-verify'])),
	172	"fipsinstall verify fail if invalid install indicator integrity value");
	173
	174	ok(replace_line_file('install-status', 'INCORRECT_STATUS_STRING',
	175	'fips_bad_indicator.cnf')
	176	&& !run(app(['openssl', 'fipsinstall',
	177	'-in', 'fips_bad_indicator.cnf',
	178	'-module', $infile,
	179	'-provider_name', 'fips', '-mac_name', 'HMAC',
	180	'-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
	181	'-section_name', 'fips_sect', '-verify'])),
	182	"fipsinstall verify fail if invalid install indicator status");
	183
433deaff RS	184	# fail to verify the fips.cnf file if a different key is used
433deaff RS	185	ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
95214b43	186	'-provider_name', 'fips', '-mac_name', 'HMAC',
31214258	187	'-macopt', 'digest:SHA256', '-macopt', "hexkey:01",
9f7bdcf3	188	'-section_name', 'fips_sect', '-verify'])),
be3acd79	189	"fipsinstall verify fail bad key");
95214b43	190
433deaff RS	191	# fail to verify the fips.cnf file if a different mac digest is used
433deaff RS	192	ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile,
95214b43	193	'-provider_name', 'fips', '-mac_name', 'HMAC',
31214258	194	'-macopt', 'digest:SHA512', '-macopt', "hexkey:$fipskey",
9f7bdcf3	195	'-section_name', 'fips_sect', '-verify'])),
be3acd79	196	"fipsinstall verify fail incorrect digest");
36fc5fc6 SL	197
36fc5fc6 SL	198	# corrupt the module hmac
433deaff	199	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
36fc5fc6	200	'-provider_name', 'fips', '-mac_name', 'HMAC',
31214258	201	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3	202	'-section_name', 'fips_sect', '-corrupt_desc', 'HMAC'])),
36fc5fc6 SL	203	"fipsinstall fails when the module integrity is corrupted");
	204
	205	# corrupt the first digest
9f7bdcf3	206	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
36fc5fc6	207	'-provider_name', 'fips', '-mac_name', 'HMAC',
31214258	208	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3	209	'-section_name', 'fips_sect', '-corrupt_desc', 'SHA1'])),
36fc5fc6 SL	210	"fipsinstall fails when the digest result is corrupted");
	211
	212	# corrupt another digest
9f7bdcf3	213	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
36fc5fc6	214	'-provider_name', 'fips', '-mac_name', 'HMAC',
31214258	215	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3	216	'-section_name', 'fips_sect', '-corrupt_desc', 'SHA3'])),
36fc5fc6	217	"fipsinstall fails when the digest result is corrupted");
980a880e	218
3fed2718 SL	219	# corrupt cipher encrypt test
	220	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
	221	'-provider_name', 'fips', '-mac_name', 'HMAC',
	222	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
3b1978e4	223	'-section_name', 'fips_sect', '-corrupt_desc', 'AES_GCM'])),
3fed2718 SL	224	"fipsinstall fails when the AES_GCM result is corrupted");
	225
	226	# corrupt cipher decrypt test
	227	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
	228	'-provider_name', 'fips', '-mac_name', 'HMAC',
	229	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
	230	'-section_name', 'fips_sect', '-corrupt_desc', 'AES_ECB_Decrypt'])),
	231	"fipsinstall fails when the AES_ECB result is corrupted");
	232
980a880e	233	# corrupt DRBG
9f7bdcf3	234	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf', '-module', $infile,
980a880e	235	'-provider_name', 'fips', '-mac_name', 'HMAC',
31214258	236	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3	237	'-section_name', 'fips_sect', '-corrupt_desc', 'CTR'])),
980a880e	238	"fipsinstall fails when the DRBG CTR result is corrupted");
ec4d1b8f SL	239
ec4d1b8f SL	240	# corrupt a KAS test
a7a7643a MC	241	SKIP: {
	242	skip "Skipping KAS DH corruption test because of no dh in this build", 1
	243	if disabled("dh");
	244
97a8878c	245	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
a7a7643a	246	'-provider_name', 'fips', '-mac_name', 'HMAC',
31214258	247	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3	248	'-section_name', 'fips_sect',
a7a7643a MC	249	'-corrupt_desc', 'DH',
	250	'-corrupt_type', 'KAT_KA'])),
	251	"fipsinstall fails when the kas result is corrupted");
	252	}
ec4d1b8f	253
6e38ac39	254	# corrupt a Signature test - 140-3 requires a known answer test
9be92bec MC	255	SKIP: {
	256	skip "Skipping Signature DSA corruption test because of no dsa in this build", 1
	257	if disabled("dsa");
6e38ac39 P	258
	259	run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
	260	capture => 1, statusvar => \my $exit);
	261	skip "FIPS provider version is too old for KAT DSA signature test", 1
	262	if !$exit;
	263	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
	264	'-provider_name', 'fips', '-mac_name', 'HMAC',
	265	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
7057dddb	266	'-section_name', 'fips_sect', '-self_test_oninstall',
6e38ac39 P	267	'-corrupt_desc', 'DSA',
	268	'-corrupt_type', 'KAT_Signature'])),
	269	"fipsinstall fails when the signature result is corrupted");
	270	}
	271
	272	# corrupt a Signature test - 140-2 allows a pairwise consistency test
	273	SKIP: {
	274	skip "Skipping Signature DSA corruption test because of no dsa in this build", 1
	275	if disabled("dsa");
	276
	277	run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]),
	278	capture => 1, statusvar => \my $exit);
cc910f1b	279	skip "FIPS provider version is too new for PCT DSA signature test", 1
6e38ac39	280	if !$exit;
97a8878c	281	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
9be92bec	282	'-provider_name', 'fips', '-mac_name', 'HMAC',
31214258	283	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
9f7bdcf3	284	'-section_name', 'fips_sect',
9be92bec	285	'-corrupt_desc', 'DSA',
55950587	286	'-corrupt_type', 'PCT_Signature'])),
9be92bec MC	287	"fipsinstall fails when the signature result is corrupted");
9be92bec MC	288	}
9f7bdcf3	289
4343a418 SL	290	# corrupt an Asymmetric cipher test
	291	SKIP: {
	292	skip "Skipping Asymmetric RSA corruption test because of no rsa in this build", 1
	293	if disabled("rsa");
	294	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
	295	'-corrupt_desc', 'RSA_Encrypt',
	296	'-corrupt_type', 'KAT_AsymmetricCipher'])),
	297	"fipsinstall fails when the asymmetric cipher result is corrupted");
	298	}
	299
e25b4db7 RL	300	# 'local' ensures that this change is only done in this file.
e25b4db7 RL	301	local $ENV{OPENSSL_CONF_INCLUDE} = abs2rel(curdir());
9f7bdcf3 SL	302
	303	ok(replace_parent_line_file('fips.cnf', 'fips_parent.cnf')
	304	&& run(app(['openssl', 'fipsinstall', '-config', 'fips_parent.cnf'])),
	305	"verify fips provider loads from a configuration file");
	306
	307	ok(replace_parent_line_file('fips_no_module_mac.cnf',
	308	'fips_parent_no_module_mac.cnf')
	309	&& !run(app(['openssl', 'fipsinstall',
	310	'-config', 'fips_parent_no_module_mac.cnf'])),
	311	"verify load config fail no module mac");
	312
6e38ac39 P	313	SKIP: {
	314	run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]),
	315	capture => 1, statusvar => \my $exit);
	316	skip "FIPS provider version doesn't support self test indicator", 3
	317	if !$exit;
	318
	319	ok(replace_parent_line_file('fips_no_install_mac.cnf',
	320	'fips_parent_no_install_mac.cnf')
	321	&& !run(app(['openssl', 'fipsinstall',
	322	'-config', 'fips_parent_no_install_mac.cnf'])),
	323	"verify load config fail no install mac");
	324
	325	ok(replace_parent_line_file('fips_bad_indicator.cnf',
	326	'fips_parent_bad_indicator.cnf')
	327	&& !run(app(['openssl', 'fipsinstall',
	328	'-config', 'fips_parent_bad_indicator.cnf'])),
	329	"verify load config fail bad indicator");
	330
	331
	332	ok(replace_parent_line_file('fips_bad_install_mac.cnf',
	333	'fips_parent_bad_install_mac.cnf')
	334	&& !run(app(['openssl', 'fipsinstall',
	335	'-config', 'fips_parent_bad_install_mac.cnf'])),
	336	"verify load config fail bad install mac");
	337	}
9f7bdcf3 SL	338
	339	ok(replace_parent_line_file('fips_bad_module_mac.cnf',
	340	'fips_parent_bad_module_mac.cnf')
	341	&& !run(app(['openssl', 'fipsinstall',
	342	'-config', 'fips_parent_bad_module_mac.cnf'])),
	343	"verify load config fail bad module mac");
2abffec0	344
6e38ac39 P	345	SKIP: {
	346	run(test(["fips_version_test", "-config", $provconf, "<3.1.0"]),
	347	capture => 1, statusvar => \my $exit);
	348	skip "FIPS provider version doesn't support self test indicator", 3
	349	if !$exit;
2abffec0	350
6e38ac39	351	my $stconf = "fipsmodule_selftest.cnf";
2abffec0	352
6e38ac39 P	353	ok(run(app(['openssl', 'fipsinstall', '-out', $stconf,
	354	'-module', $infile, '-self_test_onload'])),
	355	"fipsinstall config saved without self test indicator");
2abffec0	356
6e38ac39 P	357	ok(!run(app(['openssl', 'fipsinstall', '-in', $stconf,
	358	'-module', $infile, '-verify'])),
	359	"fipsinstall config verify fails without self test indicator");
2abffec0	360
6e38ac39 P	361	ok(run(app(['openssl', 'fipsinstall', '-in', $stconf,
	362	'-module', $infile, '-self_test_onload', '-verify'])),
	363	"fipsinstall config verify passes when self test indicator is not present");
	364	}
7057dddb P	365
	366	SKIP: {
	367	run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
	368	capture => 1, statusvar => \my $exit);
	369	skip "FIPS provider version can run self tests on install", 1
	370	if !$exit;
	371	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
	372	'-provider_name', 'fips', '-mac_name', 'HMAC',
	373	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
50ea5cdc	374	'-section_name', 'fips_sect', '-self_test_oninstall',
50ea5cdc	375	'-ems_check'])),
7057dddb P	376	"fipsinstall fails when attempting to run self tests on install");
7057dddb P	377	}
78bcbc1e P	378
	379	ok(find_line_file('drbg-no-trunc-md = 0', 'fips.cnf') == 1,
	380	'fipsinstall defaults to not banning truncated digests with DRBGs');
	381
	382	ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile,
	383	'-provider_name', 'fips', '-mac_name', 'HMAC',
	384	'-macopt', 'digest:SHA256', '-macopt', "hexkey:$fipskey",
	385	'-section_name', 'fips_sect', '-no_drbg_truncated_digests'])),
	386	"fipsinstall knows about allowing truncated digests in DRBGs");
	387
	388	ok(find_line_file('drbg-no-trunc-md = 1', 'fips.cnf') == 1,
	389	'fipsinstall will allow option for truncated digests with DRBGs');
	390
c8093347 P	391
	392	ok(run(app(['openssl', 'fipsinstall', '-out', 'fips-pedantic.cnf',
	393	'-module', $infile, '-pedantic'])),
	394	"fipsinstall accepts -pedantic option");
	395
	396	foreach my $o (@pedantic_okay) {
	397	ok(run(app(['openssl', 'fipsinstall', '-out', "fips-${o}.cnf",
	398	'-module', $infile, '-pedantic', "-${o}"])),
	399	"fipsinstall accepts -${o} after -pedantic option");
	400	}
	401
	402	foreach my $o (@pedantic_fail) {
	403	ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips_fail.cnf',
	404	'-module', $infile, '-pedantic', "-${o}"])),
	405	"fipsinstall disallows -${o} after -pedantic option");
	406	}
	407