]>
Commit | Line | Data |
---|---|---|
95214b43 SL |
1 | #! /usr/bin/env perl |
2 | # Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. | |
3 | # | |
4 | # Licensed under the Apache License 2.0 (the "License"). You may not use | |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
8 | ||
9 | use strict; | |
10 | use warnings; | |
11 | ||
12 | use File::Spec; | |
13 | use File::Copy; | |
14 | use OpenSSL::Glob; | |
15 | use OpenSSL::Test qw/:DEFAULT srctop_dir bldtop_dir bldtop_file/; | |
16 | use OpenSSL::Test::Utils; | |
17 | ||
18 | BEGIN { | |
19 | setup("test_fipsinstall"); | |
20 | } | |
21 | use lib srctop_dir('Configurations'); | |
22 | use lib bldtop_dir('.'); | |
23 | use platform; | |
24 | ||
25 | plan skip_all => "Test only supported in a fips build" if disabled("fips"); | |
26 | ||
ec4d1b8f | 27 | plan tests => 12; |
95214b43 SL |
28 | |
29 | my $infile = bldtop_file('providers', platform->dso('fips')); | |
30 | $ENV{OPENSSL_MODULES} = bldtop_dir("providers"); | |
31 | ||
be3acd79 | 32 | # fail if no module name |
433deaff | 33 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', |
95214b43 SL |
34 | '-provider_name', 'fips', |
35 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
36 | '-section_name', 'fips_install'])), | |
be3acd79 | 37 | "fipsinstall fail"); |
95214b43 | 38 | |
be3acd79 | 39 | # fail to verify if the configuration file is missing |
95214b43 SL |
40 | ok(!run(app(['openssl', 'fipsinstall', '-in', 'dummy.tmp', '-module', $infile, |
41 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
42 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
43 | '-section_name', 'fips_install', '-verify'])), | |
be3acd79 | 44 | "fipsinstall verify fail"); |
95214b43 SL |
45 | |
46 | ||
433deaff RS |
47 | # output a fips.cnf file containing mac data |
48 | ok(run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, | |
95214b43 SL |
49 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
50 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
51 | '-section_name', 'fips_install'])), | |
be3acd79 | 52 | "fipsinstall"); |
95214b43 | 53 | |
433deaff RS |
54 | # verify the fips.cnf file |
55 | ok(run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, | |
95214b43 SL |
56 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
57 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
58 | '-section_name', 'fips_install', '-verify'])), | |
be3acd79 | 59 | "fipsinstall verify"); |
95214b43 | 60 | |
433deaff RS |
61 | # fail to verify the fips.cnf file if a different key is used |
62 | ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, | |
95214b43 SL |
63 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
64 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:01', | |
65 | '-section_name', 'fips_install', '-verify'])), | |
be3acd79 | 66 | "fipsinstall verify fail bad key"); |
95214b43 | 67 | |
433deaff RS |
68 | # fail to verify the fips.cnf file if a different mac digest is used |
69 | ok(!run(app(['openssl', 'fipsinstall', '-in', 'fips.cnf', '-module', $infile, | |
95214b43 SL |
70 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
71 | '-macopt', 'digest:SHA512', '-macopt', 'hexkey:00', | |
72 | '-section_name', 'fips_install', '-verify'])), | |
be3acd79 | 73 | "fipsinstall verify fail incorrect digest"); |
36fc5fc6 SL |
74 | |
75 | # corrupt the module hmac | |
433deaff | 76 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
36fc5fc6 SL |
77 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
78 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
79 | '-section_name', 'fips_install', '-corrupt_desc', 'HMAC'])), | |
80 | "fipsinstall fails when the module integrity is corrupted"); | |
81 | ||
82 | # corrupt the first digest | |
433deaff | 83 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
36fc5fc6 SL |
84 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
85 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
86 | '-section_name', 'fips_install', '-corrupt_desc', 'SHA1'])), | |
87 | "fipsinstall fails when the digest result is corrupted"); | |
88 | ||
89 | # corrupt another digest | |
433deaff | 90 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
36fc5fc6 SL |
91 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
92 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
93 | '-section_name', 'fips_install', '-corrupt_desc', 'SHA3'])), | |
94 | "fipsinstall fails when the digest result is corrupted"); | |
980a880e SL |
95 | |
96 | # corrupt DRBG | |
433deaff | 97 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.cnf', '-module', $infile, |
980a880e SL |
98 | '-provider_name', 'fips', '-mac_name', 'HMAC', |
99 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
100 | '-section_name', 'fips_install', '-corrupt_desc', 'CTR'])), | |
101 | "fipsinstall fails when the DRBG CTR result is corrupted"); | |
ec4d1b8f SL |
102 | |
103 | # corrupt a KAS test | |
a7a7643a MC |
104 | SKIP: { |
105 | skip "Skipping KAS DH corruption test because of no dh in this build", 1 | |
106 | if disabled("dh"); | |
107 | ||
108 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile, | |
109 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
110 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
111 | '-section_name', 'fips_install', | |
112 | '-corrupt_desc', 'DH', | |
113 | '-corrupt_type', 'KAT_KA'])), | |
114 | "fipsinstall fails when the kas result is corrupted"); | |
115 | } | |
ec4d1b8f SL |
116 | |
117 | # corrupt a Signature test | |
9be92bec MC |
118 | SKIP: { |
119 | skip "Skipping Signature DSA corruption test because of no dsa in this build", 1 | |
120 | if disabled("dsa"); | |
121 | ok(!run(app(['openssl', 'fipsinstall', '-out', 'fips.conf', '-module', $infile, | |
122 | '-provider_name', 'fips', '-mac_name', 'HMAC', | |
123 | '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', | |
124 | '-section_name', 'fips_install', | |
125 | '-corrupt_desc', 'DSA', | |
126 | '-corrupt_type', 'KAT_Signature'])), | |
127 | "fipsinstall fails when the signature result is corrupted"); | |
128 | } |